Lucene search

Veracode Vulnerability DatabaseVERACODE:44086

HistoryNov 01, 2023 - 5:57 a.m.

Information Disclosure

2023-11-0105:57:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

github

authzed

spicedb

information disclosure

uri validation

attacker

password

logs

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

37.3%

JSON

github.com/authzed/spicedb is vulnerable to Information Disclosure. The vulnerability is due to a lack of datastore URI validation allowing an attacker to insert a password with a colon (“:”), which then results in the entire URI, including the plaintext password, being displayed in the logs.

CPENameOperatorVersion
github.com/authzed/spicedblev1.26.0-rc1
github.com/authzed/spicedblev1.26.0-rc1

CPE	Name	Operator	Version
	github.com/authzed/spicedb	le	v1.26.0-rc1
	github.com/authzed/spicedb	le	v1.26.0-rc1

References

github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8

github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

37.3%

JSON

Related for VERACODE:44086