SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using LookupResources to find a list of banned resources instead, then some users that shouldn't have access may. Generally, LookupResources is not and should not be to gate access in this way - that's what the Check API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using LookupResources for negative authorization decisions.
{
"cwe_ids": [
"CWE-913"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35930.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:authzed:spicedb:1.22.0:-:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "= 1.22.0"
},
{
"last_affected": "= 1.22.0"
},
{
"introduced": "1.22.0-NA"
},
{
"last_affected": "1.22.0-NA"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_STRING"
]
}