CVE-2024-40627

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40627
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40627.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-40627
Aliases
Related
Published
2024-07-15T20:15:05Z
Modified
2025-01-08T02:47:21Z
Summary
[none]
Details

Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP OPTIONS requests are always allowed by OpaMiddleware, even when they lack authentication, and are passed through directly to the application. OpaMiddleware allows all HTTP OPTIONS requests without evaluating it against any policy. If an application provides different responses to HTTP OPTIONS requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/busykoala/fastapi-opa

Affected ranges

Type
GIT
Repo
https://github.com/busykoala/fastapi-opa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9588109ff651f7ffc92687129c4956126443fb8c
Fixed
9588109ff651f7ffc92687129c4956126443fb8c