CVE-2024-32001

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-32001

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32001.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32001

Aliases

Related

CGA-vgh3-789r-gcw6

Published

2024-04-10T22:25:12.353Z

Modified

2026-03-03T02:52:41.436575Z

Severity

2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Details

SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

Database specific

{
    "cwe_ids": [
        "CWE-755"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32001.json"
}

References

Affected packages

Git / github.com/authzed/spicedb

Affected ranges

Type: GIT
Repo: https://github.com/authzed/spicedb
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a244ed1edfaf2382711dccdb699971ec97190c7b

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.18.1

v1.19.0

v1.2.0

v1.21.0

v1.21.0-rc1

v1.22.0

v1.22.0-rc1

v1.22.0-rc2

v1.22.0-rc4

v1.22.0-rc5

v1.22.0-rc6

v1.22.0-rc7

v1.22.0-rc8

v1.22.1

v1.22.1-rc1

v1.22.2

v1.23.0

v1.23.0-rc1

v1.23.0-rc2

v1.23.0-rc3

v1.23.0-rc4

v1.23.1

v1.23.1-rc1

v1.24.0

v1.24.0-rc1

v1.24.0-rc2

v1.24.0-rc3

v1.25.0

v1.25.0-rc1

v1.25.0-rc2

v1.25.0-rc3

v1.25.0-rc4

v1.26.0

v1.26.0-rc1

v1.26.0-rc2

v1.27.0

v1.27.0-rc1

v1.27.1-rc1

v1.28.0

v1.28.0-rc1

v1.29.0

v1.29.1

v1.29.1-rc1

v1.3.0

v1.30.0

v1.4.0

v1.5.0

v1.7.0

v1.7.1

v1.8.0

v1.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32001.json"