CVE-2024-46989

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46989
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46989.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46989
Aliases
Published
2024-09-18T18:15:07Z
Modified
2024-10-08T04:23:12.974115Z
Summary
[none]
Details

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users are advised to upgrade. Users unable to upgrade should not use caveats or avoid the use of caveats on an indirect subject type with multiple entries.

References

Affected packages

Git / github.com/authzed/spicedb

Affected ranges

Type
GIT
Repo
https://github.com/authzed/spicedb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.0.1
v0.0.2
v0.0.3

v1.*

v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.15.0
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.18.1
v1.19.0
v1.2.0
v1.21.0
v1.21.0-rc1
v1.22.0
v1.22.0-rc1
v1.22.0-rc2
v1.22.0-rc4
v1.22.0-rc5
v1.22.0-rc6
v1.22.0-rc7
v1.22.0-rc8
v1.22.1
v1.22.1-rc1
v1.22.2
v1.23.0
v1.23.0-rc1
v1.23.0-rc2
v1.23.0-rc3
v1.23.0-rc4
v1.23.1
v1.23.1-rc1
v1.24.0
v1.24.0-rc1
v1.24.0-rc2
v1.24.0-rc3
v1.25.0
v1.25.0-rc1
v1.25.0-rc2
v1.25.0-rc3
v1.25.0-rc4
v1.26.0
v1.26.0-rc1
v1.26.0-rc2
v1.27.0
v1.27.0-rc1
v1.27.1-rc1
v1.28.0
v1.28.0-rc1
v1.29.0
v1.29.1
v1.29.1-rc1
v1.3.0
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.35.1
v1.35.2
v1.4.0
v1.5.0
v1.7.0
v1.7.1
v1.8.0
v1.9.0