Lucene search

GoogleOSV:GHSA-J85Q-46HG-36P2

HistoryApr 10, 2024 - 10:25 p.m.

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

2024-04-1022:25:17

Google

osv.dev

spicedb

lookupsubjects

partial results

relation

bug

manifestation

negative authorization

v1.30.1

schema

CVSS3

2.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Background

Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent.

This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation.

Impact

Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected.

Workarounds

Avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

References

github.com/authzed/spicedb

github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b

github.com/authzed/spicedb/releases/tag/v1.30.1

github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2

nvd.nist.gov/vuln/detail/CVE-2024-32001

CVSS3

2.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for OSV:GHSA-J85Q-46HG-36P2