CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
9.6%
Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected
For example, given this schema:
definition user {}
caveat somecaveat(somefield int) {
somefield == 42
}
definition group {
relation member: user
}
definition resource {
relation viewer: group#member with somecaveat
permission view = folder->view
}
If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be “no permission” when permission is expected.
Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.
Do not use caveats or do not use caveats on an indirect subject type with multiple entries