Search criteria
12 vulnerabilities by authzed
CVE-2025-65111 (GCVE-0-2025-65111)
Vulnerability from cvelistv5 – Published: 2025-11-21 22:02 – Updated: 2025-11-24 17:50
VLAI?
Summary
SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1.
Severity ?
CWE
- CWE-277 - Insecure Inherited Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T17:50:38.603971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T17:50:51.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.47.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.9,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-277",
"description": "CWE-277: Insecure Inherited Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T22:02:52.563Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr"
},
{
"name": "https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2"
}
],
"source": {
"advisory": "GHSA-9m7r-g8hg-x3vr",
"discovery": "UNKNOWN"
},
"title": "SpiceDB\u0027s LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65111",
"datePublished": "2025-11-21T22:02:52.563Z",
"dateReserved": "2025-11-17T20:55:34.694Z",
"dateUpdated": "2025-11-24T17:50:51.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64529 (GCVE-0-2025-64529)
Vulnerability from cvelistv5 – Published: 2025-11-10 22:28 – Updated: 2025-11-12 20:12
VLAI?
Summary
SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T17:34:00.745696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:12:52.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.45.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source database system for creating and managing security-critical application permissions. In versions prior to 1.45.2, users who use the exclusion operator somewhere in their authorization schema; have configured their SpiceDB server such that `--write-relationships-max-updates-per-call` is bigger than 6500; and issue calls to WriteRelationships with a large enough number of updates that cause the payload to be bigger than what their datastore allows; will receive a successful response from their `WriteRelationships` call, when in reality that call failed, and receive incorrect permission check results, if those relationships had to be read to resolve the relation involving the exclusion. Version 1.45.2 contains a patch for the issue. As a workaround, set `--write-relationships-max-updates-per-call` to `1000`."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T22:28:51.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-pm3x-jrhh-qcr7"
}
],
"source": {
"advisory": "GHSA-pm3x-jrhh-qcr7",
"discovery": "UNKNOWN"
},
"title": "SpiceDB\u0027s WriteRelationships fails silently if payload is too big"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64529",
"datePublished": "2025-11-10T22:28:51.589Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-11-12T20:12:52.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49011 (GCVE-0-2025-49011)
Vulnerability from cvelistv5 – Published: 2025-06-06 17:36 – Updated: 2025-06-06 21:33
VLAI?
Summary
SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.
Severity ?
CWE
- CWE-358 - Improperly Implemented Security Check for Standard
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49011",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T18:38:07.236832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T18:38:24.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.44.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow\u2019ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow\u2019ed relation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358: Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T21:33:23.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm"
},
{
"name": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67"
},
{
"name": "https://github.com/authzed/spicedb/releases/tag/v1.44.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2"
}
],
"source": {
"advisory": "GHSA-cwwm-hr97-qfxm",
"discovery": "UNKNOWN"
},
"title": "SpiceDB checks involving relations with caveats can result in no permission when permission is expected"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49011",
"datePublished": "2025-06-06T17:36:21.747Z",
"dateReserved": "2025-05-29T16:34:07.176Z",
"dateUpdated": "2025-06-06T21:33:23.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48909 (GCVE-0-2024-48909)
Vulnerability from cvelistv5 – Published: 2024-10-14 20:22 – Updated: 2024-10-15 14:45
VLAI?
Summary
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.
Severity ?
CWE
- CWE-172 - Encoding Error
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T14:45:33.788441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T14:45:43.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.35.0, \u003c 1.37.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172: Encoding Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T20:22:17.777Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj"
},
{
"name": "https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853"
}
],
"source": {
"advisory": "GHSA-3c32-4hq9-6wgj",
"discovery": "UNKNOWN"
},
"title": "SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-48909",
"datePublished": "2024-10-14T20:22:17.777Z",
"dateReserved": "2024-10-09T22:06:46.171Z",
"dateUpdated": "2024-10-15T14:45:43.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46989 (GCVE-0-2024-46989)
Vulnerability from cvelistv5 – Published: 2024-09-18 17:29 – Updated: 2024-09-18 18:52
VLAI?
Summary
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users are advised to upgrade. Users unable to upgrade should not use caveats or avoid the use of caveats on an indirect subject type with multiple entries.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T18:52:37.867476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T18:52:51.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.35.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be \"no permission\" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users are advised to upgrade. Users unable to upgrade should not use caveats or avoid the use of caveats on an indirect subject type with multiple entries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T17:29:06.456Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr"
},
{
"name": "https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2"
}
],
"source": {
"advisory": "GHSA-jhg6-6qrx-38mr",
"discovery": "UNKNOWN"
},
"title": "Multiple caveats on resources of the same type can result in no permission when permission is expected"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-46989",
"datePublished": "2024-09-18T17:29:06.456Z",
"dateReserved": "2024-09-16T16:10:09.019Z",
"dateUpdated": "2024-09-18T18:52:51.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38361 (GCVE-0-2024-38361)
Vulnerability from cvelistv5 – Published: 2024-06-20 22:18 – Updated: 2024-08-02 04:04
VLAI?
Summary
Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned. Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. This issue has been addressed in version 1.33.1. All users are advised to upgrade. There are no known workarounds for this issue.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"lessThan": "1.33.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T18:16:22.495588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T18:19:03.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:25.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2"
},
{
"name": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.33.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned. Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. This issue has been addressed in version 1.33.1. All users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-20T22:18:35.552Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2"
},
{
"name": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb"
}
],
"source": {
"advisory": "GHSA-grjv-gjgr-66g2",
"discovery": "UNKNOWN"
},
"title": "Permissions processing error in spacedb"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38361",
"datePublished": "2024-06-20T22:18:35.552Z",
"dateReserved": "2024-06-14T14:16:16.465Z",
"dateUpdated": "2024-08-02T04:04:25.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32001 (GCVE-0-2024-32001)
Vulnerability from cvelistv5 – Published: 2024-04-10 22:25 – Updated: 2024-08-02 01:59
VLAI?
Summary
SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for either `folder` or `folder#parent`. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.
Severity ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T17:22:16.526254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T17:22:22.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2"
},
{
"name": "https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b"
},
{
"name": "https://github.com/authzed/spicedb/releases/tag/v1.30.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.30.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.30.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder-\u003eview` can cause LookupSubjects to only return the subjects found under subjects for either `folder` or `folder#parent`. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T22:25:12.353Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2"
},
{
"name": "https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b"
},
{
"name": "https://github.com/authzed/spicedb/releases/tag/v1.30.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.30.1"
}
],
"source": {
"advisory": "GHSA-j85q-46hg-36p2",
"discovery": "UNKNOWN"
},
"title": "SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32001",
"datePublished": "2024-04-10T22:25:12.353Z",
"dateReserved": "2024-04-08T13:48:37.492Z",
"dateUpdated": "2024-08-02T01:59:50.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27101 (GCVE-0-2024-27101)
Vulnerability from cvelistv5 – Published: 2024-03-01 21:01 – Updated: 2025-04-16 20:46
VLAI?
Summary
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2.
Severity ?
7.3 (High)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T15:27:55.622555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T20:46:45.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p"
},
{
"name": "https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-01T21:01:39.049Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p"
},
{
"name": "https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe"
}
],
"source": {
"advisory": "GHSA-h3m7-rqc4-7h9p",
"discovery": "UNKNOWN"
},
"title": "Integer overflow in chunking helper causes dispatching to miss elements or panic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27101",
"datePublished": "2024-03-01T21:01:39.049Z",
"dateReserved": "2024-02-19T14:43:05.994Z",
"dateUpdated": "2025-04-16T20:46:45.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46255 (GCVE-0-2023-46255)
Vulnerability from cvelistv5 – Published: 2023-10-31 15:25 – Updated: 2024-09-05 20:16
VLAI?
Summary
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.
Severity ?
4.2 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"
},
{
"name": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:15:56.911924Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:16:15.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0-rc1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-02T16:20:18.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"
},
{
"name": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"
}
],
"source": {
"advisory": "GHSA-jg7w-cxjv-98c2",
"discovery": "UNKNOWN"
},
"title": "`SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46255",
"datePublished": "2023-10-31T15:25:24.933Z",
"dateReserved": "2023-10-19T20:34:00.949Z",
"dateUpdated": "2024-09-05T20:16:15.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35930 (GCVE-0-2023-35930)
Vulnerability from cvelistv5 – Published: 2023-06-26 19:32 – Updated: 2024-11-06 21:06
VLAI?
Summary
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that's what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.
Severity ?
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:41.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r"
},
{
"name": "https://github.com/authzed/spicedb/pull/1397",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/pull/1397"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-06T21:06:20.932122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T21:06:28.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "= 1.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn\u0027t have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that\u0027s what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-26T19:32:59.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r"
},
{
"name": "https://github.com/authzed/spicedb/pull/1397",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/pull/1397"
}
],
"source": {
"advisory": "GHSA-m54h-5x5f-5m6r",
"discovery": "UNKNOWN"
},
"title": "LookupResources may return partial results in spicedb"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-35930",
"datePublished": "2023-06-26T19:32:59.829Z",
"dateReserved": "2023-06-20T14:02:45.593Z",
"dateUpdated": "2024-11-06T21:06:28.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29193 (GCVE-0-2023-29193)
Vulnerability from cvelistv5 – Published: 2023-04-14 19:01 – Updated: 2025-02-06 18:42
VLAI?
Summary
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This issue has been fixed in version 1.19.1.
### Impact
All deployments abiding by the recommended best practices for production usage are **NOT affected**:
- Authzed's SpiceDB Serverless
- Authzed's SpiceDB Dedicated
- SpiceDB Operator
Users configuring SpiceDB via environment variables are **NOT affected**.
Users **MAY be affected** if they expose their metrics port to an untrusted network and are configuring `--grpc-preshared-key` via command-line flag.
### Patches
TODO
### Workarounds
To workaround this issue you can do one of the following:
- Configure the preshared key via an environment variable (e.g. `SPICEDB_GRPC_PRESHARED_KEY=yoursecret spicedb serve`)
- Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g. `--metrics-addr=localhost:9090`)
- Disable the metrics service via the flag (e.g. `--metrics-enabled=false`)
- Adopt one of the recommended deployment models: [Authzed's managed services](https://authzed.com/pricing) or the [SpiceDB Operator](https://github.com/authzed/spicedb-operator)
### References
- [GitHub Security Advisory issued for SpiceDB](https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6)
- [Go issue #22085](https://github.com/golang/go/issues/22085) for documenting the risks of exposing pprof to the internet
- [Go issue #42834](https://github.com/golang/go/issues/42834) discusses preventing pprof registration to the default serve mux
- [semgrep rule go.lang.security.audit.net.pprof.pprof-debug-exposure](https://semgrep.dev/r?q=go.lang.security.audit.net.pprof) checks for a variation of this issue
### Credit
We'd like to thank Amit Laish, a security researcher at GE Vernova for responsibly disclosing this vulnerability.
Severity ?
8.7 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6"
},
{
"name": "https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999"
},
{
"name": "https://github.com/authzed/spicedb/releases/tag/v1.19.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.19.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29193",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T18:42:06.218010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T18:42:12.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This issue has been fixed in version 1.19.1.\n\n### Impact\n\nAll deployments abiding by the recommended best practices for production usage are **NOT affected**:\n- Authzed\u0027s SpiceDB Serverless\n- Authzed\u0027s SpiceDB Dedicated\n- SpiceDB Operator\n\nUsers configuring SpiceDB via environment variables are **NOT affected**.\n\nUsers **MAY be affected** if they expose their metrics port to an untrusted network and are configuring `--grpc-preshared-key` via command-line flag.\n\n### Patches\n\nTODO\n\n### Workarounds\n\nTo workaround this issue you can do one of the following:\n\n- Configure the preshared key via an environment variable (e.g. `SPICEDB_GRPC_PRESHARED_KEY=yoursecret spicedb serve`)\n- Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g. `--metrics-addr=localhost:9090`)\n- Disable the metrics service via the flag (e.g. `--metrics-enabled=false`)\n- Adopt one of the recommended deployment models: [Authzed\u0027s managed services](https://authzed.com/pricing) or the [SpiceDB Operator](https://github.com/authzed/spicedb-operator)\n\n### References\n\n- [GitHub Security Advisory issued for SpiceDB](https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6)\n- [Go issue #22085](https://github.com/golang/go/issues/22085) for documenting the risks of exposing pprof to the internet\n- [Go issue #42834](https://github.com/golang/go/issues/42834) discusses preventing pprof registration to the default serve mux\n- [semgrep rule go.lang.security.audit.net.pprof.pprof-debug-exposure](https://semgrep.dev/r?q=go.lang.security.audit.net.pprof) checks for a variation of this issue\n\n### Credit\n\nWe\u0027d like to thank Amit Laish, a security researcher at GE Vernova for responsibly disclosing this vulnerability.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-14T19:01:01.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6"
},
{
"name": "https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999"
},
{
"name": "https://github.com/authzed/spicedb/releases/tag/v1.19.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.19.1"
}
],
"source": {
"advisory": "GHSA-cjr9-mr35-7xh6",
"discovery": "UNKNOWN"
},
"title": "SpiceDB binding metrics port to untrusted networks and can leak command-line flags"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29193",
"datePublished": "2023-04-14T19:01:01.317Z",
"dateReserved": "2023-04-03T13:37:18.453Z",
"dateUpdated": "2025-02-06T18:42:12.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21646 (GCVE-0-2022-21646)
Vulnerability from cvelistv5 – Published: 2022-01-11 21:50 – Updated: 2025-04-23 19:13
VLAI?
Summary
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/issues/358"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.4.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21646",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:58.194304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:13:28.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spicedb",
"vendor": "authzed",
"versions": [
{
"status": "affected",
"version": "= 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as \"accessible\" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup\u0027s dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don\u0027t make use of wildcards on the right side of intersections or within exclusions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-155",
"description": "CWE-155: Improper Neutralization of Wildcards or Matching Symbols",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-11T21:50:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/issues/358"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/authzed/spicedb/releases/tag/v1.4.0"
}
],
"source": {
"advisory": "GHSA-7p8f-8hjm-wm92",
"discovery": "UNKNOWN"
},
"title": "Lookup operations do not take into account wildcards in SpiceDB",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21646",
"STATE": "PUBLIC",
"TITLE": "Lookup operations do not take into account wildcards in SpiceDB"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "spicedb",
"version": {
"version_data": [
{
"version_value": "= 1.3.0"
}
]
}
}
]
},
"vendor_name": "authzed"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as \"accessible\" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup\u0027s dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don\u0027t make use of wildcards on the right side of intersections or within exclusions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-155: Improper Neutralization of Wildcards or Matching Symbols"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92",
"refsource": "CONFIRM",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92"
},
{
"name": "https://github.com/authzed/spicedb/issues/358",
"refsource": "MISC",
"url": "https://github.com/authzed/spicedb/issues/358"
},
{
"name": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970",
"refsource": "MISC",
"url": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970"
},
{
"name": "https://github.com/authzed/spicedb/releases/tag/v1.4.0",
"refsource": "MISC",
"url": "https://github.com/authzed/spicedb/releases/tag/v1.4.0"
}
]
},
"source": {
"advisory": "GHSA-7p8f-8hjm-wm92",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21646",
"datePublished": "2022-01-11T21:50:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:13:28.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}