Skip to content

Latest commit

 

History

History
45 lines (28 loc) · 1.12 KB

SECURITY.md

File metadata and controls

45 lines (28 loc) · 1.12 KB

Security

Vulnerabilities

1 - 2021/05/06 - rules can generate fact with authority or ambient tags using variables

Affected versions:

  • Rust <1.1.0
  • Java: <1.1.0
  • Go: <1.0.0

Description

Rules of the format operation($ambient, #read) <- operation($ambient, $any) provided by blocks other than the authority block could be used to generate facts with the #authority or #ambient tags. This can result in elevation of privilege.

Recommandations

Upgrade immediately to non affected versions

Credits

This issue was reported by @svvac. Thanks a lot!

0 - 2021/05/06 - unbound variables in rule head

Affected versions:

  • Rust <1.0.1
  • Java: results in Null Pointer Exception in versions <1.1.0
  • Go: not affected

Description

Rules of the format operation($unbound, #read) <- operation($any1, $any2) could generate invalid facts containing variables, that would then confuse matching of other checks and make them succeed. This can result in elevation of privilege.

Recommandations

Upgrade immediately to non affected versions

Credits

This issue was reported by @svvac. Thanks a lot!