CVE-2023-35930 – github.com/authzed/spicedb

Package

Manager: go
Name: github.com/authzed/spicedb
Vulnerable Version: =1.22.0 || >=1.22.0 <1.22.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00129 pctl0.33105

Details

SpiceDB's LookupResources may return partial results ### Impact Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be used to gate access in this way - that's what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. ### Workarounds Avoid using `LookupResources` for negative authorization decisions if using `1.22.0`. ### Patches The only affected release is [v1.22.0](https://github.com/authzed/spicedb/releases/tag/v1.22.0), and it is patched in [v1.22.2](https://github.com/authzed/spicedb/releases/tag/v1.22.2) (there is no v1.22.1 release, though there is a git tag). ### References - https://github.com/authzed/spicedb/pull/1397 ### For more information If you have any questions or comments about this advisory: * Open an issue in [SpiceDB](https://github.com/authzed/spicedb) * Ask a question in the [SpiceDB Discord](https://authzed.com/discord)

Metadata

Created: 2023-06-28T22:48:50Z
Modified: 2023-06-30T20:25:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-m54h-5x5f-5m6r/GHSA-m54h-5x5f-5m6r.json
CWE IDs: ["CWE-913"]
Alternative ID: GHSA-m54h-5x5f-5m6r
Finding: F039
Auto approve: 1