Lucene search
K

9 matches found

CVE
CVE
added 2023/04/14 7:1 p.m.515 views

CVE-2023-29193

CVE-2023-29193 affects SpiceDB. The issue: the metrics service exposes the /debug/pprof/cmdline endpoint, which can reveal the spiceDB server’s command-line flags, including a configured --grpc-preshared-key, if exposed publicly on the metrics port. Impact: most production deployments following r...

8.7CVSS8.2AI score0.00762EPSS
CVE
CVE
added 2024/06/20 10:18 p.m.329 views

CVE-2024-38361

SpiceDB (spicedb) vulnerability CVE-2024-38361 affects the permission-check flow: an exclusion under an arrow with multiple resources may cause a NO_PERMISSION response when PERMISSION is expected on CheckPermission, due to a failure in the exclusion dispatcher to query all folders a user can acc...

5.3CVSS3.8AI score0.00396EPSS
CVE
CVE
added 2024/03/01 9:1 p.m.316 views

CVE-2024-27101

CVE-2024-27101 affects SpiceDB (Google Zanzibar-inspired permissions store). The root cause is an integer overflow in the chunking helper, which can cause dispatching to miss elements or panic when a resource has more than 65,535 relationships for a given resource and subject type. Affected API m...

9.1CVSS7AI score0.00456EPSS
CVE
CVE
added 2024/04/10 10:25 p.m.294 views

CVE-2024-32001

Summary: CVE-2024-32001 affects SpiceDB. A bug in relations of the form folder: folder | folder#parent, when the same subject type is used multiple times and an arrow is used over the relation, can cause LookupSubjects to return only a subset of subjects. This affects any user making a negative a...

4.3CVSS3.7AI score0.00578EPSS
CVE
CVE
added 2023/10/31 3:25 p.m.287 views

CVE-2023-46255

SpiceDB (open source, Google Zanzibar-inspired permissions store) has a log exposure flaw: if the datastore URI is malformed (for example, a password containing a colon), the full URI including the password is printed to logs. This is addressed in version 1.27.0-rc1. Upgrade to 1.27.0-rc1 or late...

6.5CVSS5.2AI score0.00391EPSS
CVE
CVE
added 2024/09/18 5:29 p.m.78 views

CVE-2024-46989

CVE-2024-46989 affects SpiceDB (spicedb): having multiple caveats on resources of the same indirect subject type within the same relation can cause CheckPermission to return NO_PERMISSION instead of PERMISSION when expected. The issue can occur when a resource has multiple groups and each is cave...

5.3CVSS3.9AI score0.0029EPSS
CVE
CVE
added 2025/06/06 5:36 p.m.64 views

CVE-2025-49011

SpiceDB (v1.44.x) vulnerability: when resolving CheckPermission paths that involve arrows with caveats, the evaluation across multiple caveated branches may incorrectly return NO_PERMISSION instead of PERMISSION. Root cause is in caveats on an arrow’ed relation affecting multi-branch permission c...

5.3CVSS7.1AI score0.00266EPSS
CVE
CVE
added 2025/11/10 10:28 p.m.58 views

CVE-2025-64529

SpiceDB prior to v1.45.2 is affected when the exclusion operator is used and a per-call payload is large due to --write-relationships-max-updates-per-call > 6500. In this scenario, WriteRelationships can return success for a failed operation and produce incorrect permission results if the affe...

6.9CVSS6.3AI score0.0024EPSS
CVE
CVE
added 2025/11/21 10:2 p.m.12 views

CVE-2025-65111

CVE-2025-65111 affects SpiceDB prior to version 1.47.1. Affected behavior: when a schema defines a permission as a union and the union references the same relation on both sides (but one side points to a different permission), the LookupResources API may return incomplete results. Other APIs calc...

6.3CVSS6.3AI score0.00194EPSS