GitHub_MCVELIST:CVE-2024-32001CVE-2024-32001 SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.
CNA Affected
[
{
"vendor": "authzed",
"product": "spicedb",
"versions": [
{
"version": "< 1.30.1",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%