CVE-2024-40627: 
Python vulnerability analysis and mitigation

Fastapi OPA is an opensource fastapi middleware which includes auth flow. The vulnerability (CVE-2024-40627) was discovered where HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. The issue affects versions up to and including 2.0.0 and has been fixed in version 2.0.1. The vulnerability was discovered and disclosed on July 15, 2024 (GitHub Advisory).

The vulnerability exists in the OpaMiddleware component where it allows all HTTP OPTIONS requests without evaluating them against any policy. The issue stems from a code section that explicitly bypasses authentication checks for OPTIONS requests. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

If an application provides different responses to HTTP OPTIONS requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This could lead to information disclosure and potential enumeration of system resources (GitHub Advisory).

The vulnerability has been fixed in version 2.0.1 of fastapi-opa. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Advisory).