Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zYzMyLTRocTktNndnas4ABAQV

SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not

Impact

Clients that have enabled LookupResources2 and have caveats in the evaluation path for their requests can return a permissionship of CONDITIONAL with context marked as missing, even then the context was supplied.

LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0

Patches

The bug will be released as part of SpiceDB 1.37.1

Workarounds

Disable LookupResources2 via the --enable-experimental-lookup-resources flag by setting it to false

--enable-experimental-lookup-resources=false

Permalink: https://github.com/advisories/GHSA-3c32-4hq9-6wgj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zYzMyLTRocTktNndnas4ABAQV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 1 day ago
Updated: 1 day ago

CVSS Score: 2.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Identifiers: GHSA-3c32-4hq9-6wgj, CVE-2024-48909
References:

• https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj
• https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853
• https://nvd.nist.gov/vuln/detail/CVE-2024-48909
• https://github.com/advisories/GHSA-3c32-4hq9-6wgj

Repository: https://github.com/authzed/spicedb
Blast Radius: 2.5

Affected Packages