CVE-2023-46255

2023-10-3116:15:10

Google

osv.dev

spicedb

open source

security-critical

permissions

database

uri

logs

vulnerability

patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.

CPENameOperatorVersion
spicedbeq1.22.1
spicedbeq1.22.1-rc1
spicedbeq1.24.0-rc2
spicedbeq0.0.2
spicedbeq1.17.0
spicedbeq1.13.0
spicedbeq1.25.0-rc4
spicedbeq1.18.1
spicedbeq1.10.0
spicedbeq0.0.1

Name	Operator	Version
spicedb	eq	1.22.1
spicedb	eq	1.22.1-rc1
spicedb	eq	1.24.0-rc2
spicedb	eq	0.0.2
spicedb	eq	1.17.0
spicedb	eq	1.13.0
spicedb	eq	1.25.0-rc4
spicedb	eq	1.18.1
spicedb	eq	1.10.0
spicedb	eq	0.0.1