CVE-2024-46989

CVE-2024-46989 affects SpiceDB (spicedb): having multiple caveats on resources of the same indirect subject type within the same relation can cause CheckPermission to return NO_PERMISSION instead of PERMISSION when expected. The issue can occur when a resource has multiple groups and each is cave...

CVE-2024-38361 Permissions processing error in spacedb

Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to NOPERMISSION when permission is expected. If the resource exists under multiple...

CVE-2024-38361

SpiceDB (spicedb) vulnerability CVE-2024-38361 affects the permission-check flow: an exclusion under an arrow with multiple resources may cause a NO_PERMISSION response when PERMISSION is expected on CheckPermission, due to a failure in the exclusion dispatcher to query all folders a user can acc...

CVE-2024-38361 Permissions processing error in spacedb

Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to NOPERMISSION when permission is expected. If the resource exists under multiple...

SpiceDB exclusions can result in no permission returned when permission expected

Background Use of an exclusion under an arrow that has multiple resources may resolve to NOPERMISSION when permission is expected. For example, given this schema: zed definition user definition folder relation member: user relation banned: user permission view = member - banned definition resourc...