logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-27101 github.com/authzed/spicedb

Package

Manager: go
Name: github.com/authzed/spicedb
Vulnerable Version: >=0 <1.29.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00107 pctl0.29461

Details

Integer overflow in chunking helper causes dispatching to miss elements or panic Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The issue may also lead to a panic rendering the server unavailable The following API methods are affected: - [CheckPermission](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.CheckPermission) - [BulkCheckPermission](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.ExperimentalService.BulkCheckPermission) - [LookupSubjects](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.LookupSubjects) #### Impact Permission checks that are expected to be allowed are instead denied, and lookup subjects will return fewer subjects than expected. #### Workarounds There is no workaround other than making sure that the SpiceDB cluster does not have very wide relations, with the maximum value being the maximum value of an 16-bit unsigned integer #### Remediations - AuthZed Dedicated customers: No action. AuthZed has upgraded all deployments. - AuthZed Serverless customers: No Action. AuthZed has upgraded all deployments. - AuthZed Enterprise customers: Upgrade to [v1.29.2-hotfix-enterprise.v1.hotfix.v1](https://github.com/authzed-enterprise/src/pkgs/container/spicedb-enterprise/182719614?tag=v1.29.2-hotfix-enterprise.v1.hotfix.v1) - Open Source users: Upgrade to v1.29.2

Metadata

Created: 2024-03-01T23:32:10Z
Modified: 2024-03-01T23:32:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h3m7-rqc4-7h9p/GHSA-h3m7-rqc4-7h9p.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-h3m7-rqc4-7h9p
Finding: F111
Auto approve: 1