CVE-2022-39352: 
Wolfi vulnerability analysis and mitigation

OpenFGA (Fine-Grained Authorization), a high-performance authorization/permission engine inspired by Google Zanzibar, was found to contain a vulnerability in versions prior to 0.2.5. The vulnerability, identified as CVE-2022-39352, could lead to authorization bypass under specific conditions when using wildcard (*) assignments in tupleset relations. The issue was discovered during an internal security assessment and was disclosed on November 7, 2022 (GitHub Advisory, CVE Mitre).

The vulnerability affects systems where tuples with a wildcard (*) are assigned to a tupleset relation (specifically on the right-hand side of a 'from' statement). This configuration could lead to unauthorized access due to improper handling of wildcard permissions in the authorization logic (GitHub Advisory).

The vulnerability could result in authorization bypass, potentially allowing unauthorized users to gain access to protected resources. This poses a significant security risk for systems using affected versions of OpenFGA for access control and permission management (GitHub Advisory).

The vulnerability has been patched in OpenFGA version 0.2.5. Users are strongly advised to upgrade to this version. However, it's important to note that this update is not backward compatible with any authorization model that uses wildcard on a tupleset relation. Any tuples where the user field is set to a userset and the tuple's relation is used on the right-hand side of a from statement must be rewritten (GitHub Advisory).