Lucene search

GoogleOSV:GHSA-JG7W-CXJV-98C2

HistoryOct 31, 2023 - 10:23 p.m.

SpiceDB leaks information in log files when URI cannot be parsed

2023-10-3122:23:44

Google

osv.dev

spicedb

log files

uri

password

security-critical application

permission management

google zanzibar-inspired

open source

version 1.27.0-rc1

database

information leakage

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. When the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.

Example output:

terminated with errors error="unable to create migration driver for postgres: parse \"postgres://spicedb:&lt;PASSWORD IN PLAINTEXT&gt;": invalid port \"&lt;PASSWORD IN PLAINTEXT&gt;\" after host"

CPENameOperatorVersion
github.com/authzed/spicedblt1.27.0-rc1

CPE	Name	Operator	Version
	github.com/authzed/spicedb	lt	1.27.0-rc1

References

github.com/authzed/spicedb

github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8

github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2

nvd.nist.gov/vuln/detail/CVE-2023-46255

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

Related for OSV:GHSA-JG7W-CXJV-98C2