logo

Database

Lack of data validation - Type confusion In github.com/authzed/spicedb

Description

SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not

Impact

Clients that have enabled LookupResources2 and have caveats in the evaluation path for their requests can return a permissionship of CONDITIONAL with context marked as missing, even then the context was supplied.

LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0

Patches

The bug will be released as part of SpiceDB 1.37.1

Workarounds

Disable LookupResources2 via the --enable-experimental-lookup-resources flag by setting it to false

--enable-experimental-lookup-resources=false

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-489092. NVD-2024-489093. OSV-2024-489094. GHSA-3c32-4hq9-6wgj5. GCVE-2024-48909

References

1. https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj2. https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.