CVE-2022-21646

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-21646
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21646.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-21646
Aliases
Published
2022-01-11T22:15:07Z
Modified
2024-05-23T01:23:34.691833Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In v1.3.0, the wildcard is ignored entirely in lookup's dispatch, resulting in the banned wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.

References

Affected packages

Git / github.com/authzed/spicedb

Affected ranges

Type
GIT
Repo
https://github.com/authzed/spicedb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.0.1
v0.0.2
v0.0.3

v1.*

v1.0.0
v1.1.0
v1.2.0
v1.3.0