CVE-2022-21646

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21646

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21646.json

Aliases

GHSA-7p8f-8hjm-wm92

Published

2022-01-11T22:15:07Z

Modified

2023-11-29T09:24:51.185454Z

Details

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In v1.3.0, the wildcard is ignored entirely in lookup's dispatch, resulting in the banned wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.

References

Affected packages

Git / github.com/authzed/spicedb

Affected ranges

Type: GIT
Repo: https://github.com/authzed/spicedb
Events: Introduced

0The exact introduced commit is unknown

Fixed

15bba2e2d2a4bda336a37a7fe8ef8a35028cd970

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0