SpiceDB 安全漏洞

SpiceDB is a fine-grained permission database developed by the Authzed team. Versions of SpiceDB from 1.49.0 to 1.51.0 contain security vulnerabilities. These vulnerabilities stem from containing plaintext passwords, which may lead to credential leakage...

GO-2024-3131 SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb...

GO-2022-0295 Lookup operations do not take into account wildcards in SpiceDB in github.com/authzed/spicedb

Lookup operations do not take into account wildcards in SpiceDB in github.com/authzed/spicedb...

GO-2023-1871 SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb

SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb...

GO-2023-1723 SpiceDB binding metrics port to untrusted networks and can leak command-line flags in github.com/authzed/spicedb

SpiceDB binding metrics port to untrusted networks and can leak command-line flags in github.com/authzed/spicedb...

Improper Preservation Of Permissions

github.com/authzed/spicedb is vulnerable to Improper Preservation Of Permissions. The vulnerability is due to a failure in the exclusion dispatcher to request all the folders in which the user is a member, leading to an incorrect NOPERMISSION response when the user should have permission...

Integer overflow in chunking helper causes dispatching to miss elements or panic

Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The issue may also lead to a panic rendering the server unavailable The following API methods are affected: - CheckPermission -...

GHSA-H3M7-RQC4-7H9P Integer overflow in chunking helper causes dispatching to miss elements or panic

Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The issue may also lead to a panic rendering the server unavailable The following API methods are affected: - CheckPermission -...

Information Disclosure

github.com/authzed/spicedb is vulnerable to Information Disclosure. The vulnerability is due to a lack of datastore URI validation allowing an attacker to insert a password with a colon ":", which then results in the entire URI, including the plaintext password, being displayed in the logs...

Information Disclosure

github.com/authzed/spicedb is vulnerable to Information Disclosure. The vulnerability exists in the MetricsHandler function in defaults.go because it exposes the --grpc-preshared-key flag in the spicedb serve command which allows an attacker to gain access to the secret key and preform unauthoriz...