CVE-2022-21646

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21646

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21646.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-21646

Aliases

Published

2022-01-11T22:15:07Z

Modified

2024-08-21T14:56:50.790866Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In v1.3.0, the wildcard is ignored entirely in lookup's dispatch, resulting in the banned wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.

References

Affected packages

Git / github.com/authzed/spicedb

Affected ranges

Type: GIT
Repo: https://github.com/authzed/spicedb
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

15bba2e2d2a4bda336a37a7fe8ef8a35028cd970

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0