CVE-2023-45810: 
Wolfi vulnerability analysis and mitigation

OpenFGA, a flexible authorization/permission engine built for developers and inspired by Google Zanzibar, was found to contain a vulnerability identified as CVE-2023-45810. The vulnerability was discovered and disclosed on October 17, 2023, affecting all versions of OpenFGA up to version 1.3.3. The issue was identified as a denial of service vulnerability that impacts the core functionality of the authorization engine (GitHub Advisory, NVD).

The vulnerability stems from improper resource management in the ListObjects functionality. When multiple ListObjects calls are executed, the system fails to properly release resources even after sending responses. This resource leak can accumulate over time, leading to service unresponsiveness. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 5.3 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The weakness has been categorized as CWE-400 (Uncontrolled Resource Consumption) (NVD).

The primary impact of this vulnerability is the potential for denial of service conditions. When exploited, the vulnerability can cause the OpenFGA service to become completely unresponsive, affecting the availability of the authorization system for all users (GitHub Advisory).

The vulnerability has been patched in OpenFGA version 1.3.4. Users are strongly advised to upgrade to this version or later, as there are no known workarounds for this vulnerability. The upgrade is considered backwards compatible, making it a straightforward remediation process (GitHub Advisory).