CVE-2024-32001

2024-04-1023:15:07

CWE-755

GitHub_M

web.nvd.nist.gov

spicedb

graph database

access control

data

relation

bug

subjects

negative authorization

v1.30.1

CVSS3

2.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

AI Score

3.7

Confidence

High

EPSS

Percentile

15.5%

JSON

SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

Affected configurations

Vulners

Node

authzedspicedbRange<1.30.1

VendorProductVersionCPE
authzedspicedb*cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
authzed	spicedb	*	cpe:2.3:a:authzed:spicedb::::::::

CNA Affected

[
  {
    "vendor": "authzed",
    "product": "spicedb",
    "versions": [
      {
        "version": "< 1.30.1",
        "status": "affected"
      }
    ]
  }
]