Base Score

HIGH7.3

CVE-2024-8260

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

VectorLOCAL

Published Byvulnreport@tenable.com

Published DateAug 30, 2024, 13:15

Affected Versions(1)

github.com/open-policy-agent/opa(Go)

Introduced0

Fixed0.68.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/open-policy-agent/opa(Go)	0	0.68.0	N/A

Weakness Type (CWE):CWE-294

CVSS Metrics

Base Score

7.3

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://www.tenable.com/security/research/tra-2024-36

Base Score

HIGH7.3

Weakness Type (CWE):CWE-294

CVSS Metrics

Base Score

7.3

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH