漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Vulnerability Description
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
openfga 授权问题漏洞
Vulnerability Description
OpenFGA是OpenFGA团队开源的一款为开发人员构建并受 Google Zanzibar 启发的高性能和灵活的授权/许可引擎。 openFGA 1.18.0之前版本存在授权问题漏洞,该漏洞源于OIDC身份验证器在配置了authn.method为oidc且设置了authn.oidc.issuer但未设置authn.oidc.audience时,跳过了JWT受众验证,可能允许同一身份提供者为无关服务签发的令牌用于身份认证。
CVSS Information
N/A
Vulnerability Type
N/A