GHSA-j85q-46hg-36p2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j85q-46hg-36p2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-j85q-46hg-36p2/GHSA-j85q-46hg-36p2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j85q-46hg-36p2
- Aliases
- Related
- Published
- 2024-04-10T22:25:17Z
- Modified
- 2024-06-04T16:56:52.651597Z
- Severity
-
- 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used
- Details
-
Background
Use of a relation of the form:
relation folder: folder | folder#parentwith an arrow such asfolder->viewcan cause LookupSubjects to only return the subjects found under subjects for eitherfolderorfolder#parent.This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation.
Impact
Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected.
Workarounds
Avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.
- Database specific
{ "github_reviewed_at": "2024-04-10T22:25:17Z", "github_reviewed": true, "severity": "LOW", "nvd_published_at": "2024-04-10T23:15:07Z", "cwe_ids": [ "CWE-755" ] }- References
Affected packages
Go / github.com/authzed/spicedb
Package
- Name
- github.com/authzed/spicedb
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/authzed/spicedb