LookupResources may return partial results in spicedb
Description
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using LookupResources to find a list of banned resources instead, then some users that shouldn't have access may. Generally, LookupResources is not and should not be to gate access in this way - that's what the Check API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using LookupResources for negative authorization decisions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/authzed/spicedbGo | >= 1.22.0, < 1.22.2 | 1.22.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m54h-5x5f-5m6rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-35930ghsaADVISORY
- github.com/authzed/spicedb/pull/1397ghsax_refsource_MISCWEB
- github.com/authzed/spicedb/releases/tag/v1.22.2ghsaWEB
- github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.