Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/open-policy-agent/opa: CVE-2022-36085 #978

Closed
GoVulnBot opened this issue Sep 8, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/open-policy-agent/opa: CVE-2022-36085 #978

GoVulnBot opened this issue Sep 8, 2022 · 2 comments
Assignees
@julieqiu
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

CVE-2022-36085 references github.com/open-policy-agent/opa, which may be a Go module.

Description:
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the with keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by WithUnsafeBuiltins. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the WithUnsafeBuiltins function and use the capabilities feature instead.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/open-policy-agent/opa
    packages:
      - package: opa
description: |
    Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.
cves:
  - CVE-2022-36085
references:
  - web: https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr
  - fix: https://github.com/open-policy-agent/opa/pull/4540
  - fix: https://github.com/open-policy-agent/opa/pull/4616
  - fix: https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823
  - fix: https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8
  - web: https://github.com/open-policy-agent/opa/releases/tag/v0.43.1
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/430362 mentions this issue: data/reports: add GO-2022-0978.yaml for CVE-2022-36085

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/432417 mentions this issue: data/reports: add ghsa for GO-2022-0978.yaml

gopherbot pushed a commit that referenced this issue Sep 21, 2022
@tatianab
data/reports: add ghsa for GO-2022-0978.yaml
3ee9146 
For #978

Change-Id: I406b786b54ac60aab524a83607459746a7ed972f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/432417
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julieqiu julieqiu

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@julieqiu @tatianab @gopherbot @GoVulnBot