CVE-2022-36085 - Vulnerability Details

Vendors	Products
Openpolicyagent	Open Policy Agent

Link	Providers
https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823
https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8
https://github.com/open-policy-agent/opa/pull/4540
https://github.com/open-policy-agent/opa/pull/4616
https://github.com/open-policy-agent/opa/releases/tag/v0.43.1
https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr
https://nvd.nist.gov/vuln/detail/CVE-2022-36085
https://www.cve.org/CVERecord?id=CVE-2022-36085

{"containers": {"cna": {"affected": [{"product": "opa", "vendor": "open-policy-agent", "versions": [{"status": "affected", "version": ">= 0.40.0, < 0.43.1"}]}], "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T13:30:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}], "source": {"advisory": "GHSA-f524-rf33-2jjr", "discovery": "UNKNOWN"}, "title": "OPA Compiler: Bypass of WithUnsafeBuiltins using `with` keyword to mock functions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36085", "STATE": "PUBLIC", "TITLE": "OPA Compiler: Bypass of WithUnsafeBuiltins using `with` keyword to mock functions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "opa", "version": {"version_data": [{"version_value": ">= 0.40.0, < 0.43.1"}]}}]}, "vendor_name": "open-policy-agent"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693: Protection Mechanism Failure"}]}, {"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr", "refsource": "CONFIRM", "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}, {"name": "https://github.com/open-policy-agent/opa/pull/4540", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"name": "https://github.com/open-policy-agent/opa/pull/4616", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"name": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"name": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"name": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1", "refsource": "MISC", "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}]}, "source": {"advisory": "GHSA-f524-rf33-2jjr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.645Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36085", "datePublished": "2022-09-08T13:30:16", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.645Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openpolicyagent:open_policy_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "24044142-C7B3-4994-9F36-5ED0299C8E5B", "versionEndExcluding": "0.43.1", "versionStartIncluding": "0.40.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead."}, {"lang": "es", "value": "Open Policy Agent (OPA) es un motor de pol\u00edticas de prop\u00f3sito general de c\u00f3digo abierto. El compilador de Rego proporciona una funci\u00f3n \"WithUnsafeBuiltins\" (en desuso), que permite a usuarios proporcionar un conjunto de funciones integradas que el compilador deber\u00eda considerar inseguras y, como tales, rechazarlas si son encontradas en la etapa de compilaci\u00f3n de pol\u00edticas. . Se ha encontrado una omisi\u00f3n de esta protecci\u00f3n, en la que \"WithUnsafeBuiltins\" no es tenido en cuenta el uso de la palabra clave \"with\" para simular una funci\u00f3n integrada de este tipo (una caracter\u00edstica introducida en OPA v0.40.0). Deben cumplirse m\u00faltiples condiciones para crear un efecto adverso. La versi\u00f3n 0.43.1 contiene un parche para este problema. Como mitigaci\u00f3n, evite usar la funci\u00f3n \"WithUnsafeBuiltins\" y use la funcionalidad \"capabilities\" en su lugar"}], "id": "CVE-2022-36085", "lastModified": "2024-11-21T07:12:21.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-08T14:15:08.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/pull/4540"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/pull/4616"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "open-policy-agent: Compiler Bypass of WithUnsafeBuiltins using \"with\" keyword to mock functions", "id": "2125532", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2125532"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "(CWE-20|CWE-693)", "details": ["Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u2014 and as such rejected \u2014 by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u2019t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.", "A flaw was found in open-policy-agent. The Rego compiler provides a deprecated WithUnsafeBuiltins function, allowing users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage. A bypass of this protection can occur where the use of the 'with' keyword to mock the built-in function (a feature introduced in OPA v0.40.0) is not taken into account by the WithUnsafeBuiltins function."], "name": "CVE-2022-36085", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/lokistack-gateway-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/opa-openshift-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/gatekeeper-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-slim-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/cnf-tests-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ztp-site-generate-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-09-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-36085\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-36085\nhttps://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"], "threat_severity": "Important", "upstream_fix": "open-policy-agent 0.43.1, open-policy-agent 0.44.0"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object