Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1qODVxLTQ2aGctMzZwMs4AA658

Low EPSS: 0.00091% (0.26869 Percentile) EPSS:
Permalink JSON

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Affected Packages Affected Versions Fixed Versions
go:github.com/authzed/spicedb < 1.30.1 1.30.1
16 Dependent packages
17 Dependent repositories

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.0.3, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.19.1, 1.20.0, 1.21.0, 1.22.0, 1.22.1, 1.22.2, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.29.4, 1.29.5, 1.30.0

All unaffected versions

1.30.1, 1.31.0, 1.32.0, 1.33.0, 1.33.1, 1.34.0, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.38.1, 1.39.0, 1.39.1, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.42.1, 1.43.0, 1.44.0, 1.44.2, 1.44.3, 1.44.4, 1.45.0, 1.45.1

Background

Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent.

This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation.

Impact

Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected.

Workarounds

Avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

References:

Identifiers

GHSA-j85q-46hg-36p2

CVE-2024-32001

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00091

EPSS Percentile: 0.26869

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/authzed/spicedb

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON