logo

Database

Insecure deserialization In github.com/authzed/spicedb

Description

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Background

Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent.

This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation.

Impact

Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected.

Workarounds

Avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-320012. NVD-2024-320013. OSV-2024-320014. GHSA-j85q-46hg-36p25. GCVE-2024-32001

References

1. https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p22. https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b3. https://github.com/authzed/spicedb/releases/tag/v1.30.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.