CVE-2024-23820: 
Wolfi vulnerability analysis and mitigation

OpenFGA, an authorization/permission engine, was found to be vulnerable to a denial of service attack in versions prior to 1.4.3. The vulnerability was discovered and disclosed on January 26, 2024. The issue affects all OpenFGA installations running versions earlier than 1.4.3 (NVD).

The vulnerability stems from improper memory management in the ListObjects API call. In specific scenarios dependent on the model and tuples used, the ListObjects function fails to release memory properly after execution. When a high number of these calls are made, particularly those that hit the --listObjects-deadline setting, it can lead to memory exhaustion, ultimately causing an 'out of memory' error and server termination. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, GitHub Advisory).

When exploited, this vulnerability can cause the OpenFGA server to crash due to memory exhaustion, leading to service unavailability. The impact is primarily on the availability aspect of the system, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in OpenFGA version 1.4.3. Users are strongly advised to upgrade to this version, as it contains the necessary fixes to prevent memory leaks during ListObjects operations. The upgrade is confirmed to be backwards compatible (GitHub Release, GitHub Advisory).