Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS03cDhmLThoam0td205Ms0h7w

High EPSS: 0.00343% (0.56301 Percentile) EPSS:
Permalink JSON

Lookup operations do not take into account wildcards in SpiceDB

Affected Packages Affected Versions Fixed Versions
go:github.com/authzed/spicedb = 1.3.0 1.4.0
16 Dependent packages
17 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

0.0.1, 0.0.2, 0.0.3, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.22.1, 1.22.2, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.29.4, 1.29.5, 1.30.0, 1.30.1, 1.31.0, 1.32.0, 1.33.0, 1.33.1, 1.34.0, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.38.1, 1.39.0, 1.39.1, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.42.1, 1.43.0, 1.44.0, 1.44.2, 1.44.3, 1.44.4, 1.45.0, 1.45.1

Impact

Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion.

For example, given schema:

definition user {}

definition resource {
   relation viewer: user
   relation banned: user | user:*
   permission view = viewer - banned
}

If user:* is placed into the banned relation for a particular resource, view should return false for all resources. in v1.3.0, the wildcard is ignored entirely in lookup's dispatch, resulting in the banned wildcard being ignored in the exclusion.

Workarounds

Don't make use of wildcards on the right side of intersections or within exclusions.

References

https://github.com/authzed/spicedb/issues/358

For more information

If you have any questions or comments about this advisory:

References:

Identifiers

GHSA-7p8f-8hjm-wm92

CVE-2022-21646

Risk

Severity

High

EPSS

EPSS Percentage: 0.00343

EPSS Percentile: 0.56301

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/authzed/spicedb

Date and time

Published

over 3 years ago

Updated

over 2 years ago

API

JSON