You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
open-policy-agent: Compiler Bypass of WithUnsafeBuiltins using "with" keyword to mock functions
Description
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the with keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by WithUnsafeBuiltins. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the WithUnsafeBuiltins function and use the capabilities feature instead.
Title
open-policy-agent: Compiler Bypass of WithUnsafeBuiltins using "with" keyword to mock functions
Description
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated)
WithUnsafeBuiltins
function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of thewith
keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account byWithUnsafeBuiltins
. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using theWithUnsafeBuiltins
function and use thecapabilities
feature instead.Severity
CRITICAL
Primary URL
https://avd.aquasec.com/nvd/cve-2022-36085
References
The text was updated successfully, but these errors were encountered: