CVE-2022-39341: 
Wolfi vulnerability analysis and mitigation

CVE-2022-39341 is a high-severity vulnerability affecting OpenFGA (an authorization/permission engine) versions prior to 0.2.4. The vulnerability was discovered during an internal security assessment and disclosed on October 24, 2022. The issue affects systems that have wildcard (*) defined on tupleset relations in their authorization model (GitHub Advisory).

The vulnerability is classified as an improper authorization issue (CWE-285) with a CVSS v3.1 base score of 9.8 (CRITICAL) according to NVD assessment, while GitHub's assessment rates it at 5.9 (MEDIUM). The vulnerability occurs when a wildcard (*) is encountered in tupleset relation evaluation, which could lead to authorization bypass under specific conditions (NVD).

The vulnerability could result in authorization bypass, potentially allowing unauthorized access to protected resources. This affects any OpenFGA implementation that uses wildcard (*) assignments in tupleset relations, which are typically used in 'from' statements within the authorization model (GitHub Advisory).

The vulnerability has been patched in OpenFGA version 0.2.4. Users are advised to upgrade to this version or later. It should be noted that this update is not backward compatible with any authorization model that uses wildcard on a tupleset relation (GitHub Release).