VYPR
Moderate severityNVD Advisory· Published Oct 31, 2023· Updated Sep 5, 2024

`SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed

CVE-2023-46255

Description

SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/authzed/spicedbGo
< 1.27.0-rc11.27.0-rc1

Affected products

6

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.