216 matches found
GHSA-CJR9-MR35-7XH6 vulnerabilities
Vulnerabilities for packages: spicedb...
GHSA-CJR9-MR35-7XH6 vulnerabilities
Vulnerabilities for packages: spicedb...
GHSA-CJR9-MR35-7XH6 SpiceDB binding metrics port to untrusted networks and can leak command-line flags
Background The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The /debug/pprof/cmdline endpoint served by the metrics service...
SpiceDB binding metrics port to untrusted networks and can leak command-line flags
Background The spicedb serve command contains a flag named --grpc-preshared-key which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The /debug/pprof/cmdline endpoint served by the metrics service...
PT-2023-2479 · Spicedb · Spicedb
Name of the Vulnerable Software and Affected Versions: SpiceDB versions prior to 1.19.1 Description: The issue is related to the SpiceDB database system, specifically with the /debug/pprof/cmdline endpoint served by the metrics service, which reveals command-line flags provided for debugging...
GHSA-7P8F-8HJM-WM92 Lookup operations do not take into account wildcards in SpiceDB
Impact Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the rig...
Lookup operations do not take into account wildcards in SpiceDB
Impact Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the rig...
Lookup operations do not take into account wildcards in SpiceDB
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not...
Improper Input Validation
spicedb is vulnerable to improper input validation. The vulnerability exists due to wrongly implemented wildcard which allows an attacker to perform unauthenticated actions with wildcard permissions...
CVE-2022-21646
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not...
Design/Logic Flaw
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not...
CVE-2022-21646 Lookup operations do not take into account wildcards in SpiceDB
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not...
CVE-2022-21646
SpiceDB vulnerability CVE-2022-21646 affects wildcard handling in lookups: using a wildcard on the right side of an intersection or within an exclusion can cause Lookup/LookupResources to treat resources as accessible when they are not. In v1.3.0 the wildcard was ignored in dispatch, making the b...
CVE-2022-21646 Lookup operations do not take into account wildcards in SpiceDB
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not...
CVE-2022-21646 Lookup operations do not take into account wildcards in SpiceDB
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not...
PT-2022-15001 · Spicedb · Spicedb
Name of the Vulnerable Software and Affected Versions: SpiceDB versions 1.3.0 Description: The issue concerns the handling of wildcard relationships in SpiceDB, specifically within exclusion or intersection operations. When a user utilizes a wildcard relationship under the right-hand branch of an...