Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1ncmp2LWdqZ3ItNjZnMs4AA9Px

SpiceDB exclusions can result in no permission returned when permission expected

Background

Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected.

For example, given this schema:

definition user {}

definition folder {
  relation member: user
  relation banned: user
  permission view = member - banned
}

definition resource {
  relation folder: folder
  permission view = folder->view
}

If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned

Impact

Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.

Workarounds

None

Permalink: https://github.com/advisories/GHSA-grjv-gjgr-66g2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncmp2LWdqZ3ItNjZnMs4AA9Px
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 3 months ago
Updated: about 1 month ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-grjv-gjgr-66g2, CVE-2024-38361
References:

• https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2
• https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb
• https://nvd.nist.gov/vuln/detail/CVE-2024-38361
• https://github.com/advisories/GHSA-grjv-gjgr-66g2

Repository: https://github.com/authzed/spicedb
Blast Radius: 4.6

Affected Packages