An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNTRoLTV4NWYtNW02cs4AA0IM
SpiceDB's LookupResources may return partial results
Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected.
For example, using
LookupResources to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using
LookupResources to find a list of banned resources instead, then some users that shouldn't have access may.
LookupResources is not and should not be used to gate access in this way - that's what the
Check API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release.
LookupResources for negative authorization decisions if using
For more information
If you have any questions or comments about this advisory:https://github.com/advisories/GHSA-m54h-5x5f-5m6r
Source: GitHub Advisory Database
Published: 5 months ago
Updated: 17 days ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-m54h-5x5f-5m6r, CVE-2023-35930
Fixed in: 1.22.2