LookupResources may return partial results in spicedb
Description
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using LookupResources to find a list of banned resources instead, then some users that shouldn't have access may. Generally, LookupResources is not and should not be to gate access in this way - that's what the Check API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using LookupResources for negative authorization decisions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authzed/spicedbGo | >= 1.22.0, < 1.22.2 | 1.22.2 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-m54h-5x5f-5m6rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-35930ghsaADVISORY
- github.com/authzed/spicedb/pull/1397ghsax_refsource_MISCWEB
- github.com/authzed/spicedb/releases/tag/v1.22.2ghsaWEB
- github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.