GitHub_MCVELIST:CVE-2023-46255CVE-2023-46255 `SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed
4.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
37.3%
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.
CNA Affected
[
{
"vendor": "authzed",
"product": "spicedb",
"versions": [
{
"version": "< 1.27.0-rc1",
"status": "affected"
}
]
}
]Related
4.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
37.3%