{"vulnerability": "cve-2022-36085", "sightings": [{"uuid": "3a0737b1-972c-4a14-8bc7-b1ee3f062a07", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-36085", "type": "seen", "source": "https://t.me/cibsecurity/49462", "content": "\u203c CVE-2022-36085 \u203c\n\nOpen Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe \u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u20ac\ufffd and as such rejected \u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u20ac\ufffd by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn\u00c3\u00a2\u00e2\u201a\u00ac\u00e2\u201e\u00a2t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-08T18:15:16.000000Z"}]}