Description

Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned. Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. This issue has been addressed in version 1.33.1. All users are advised to upgrade. There are no known workarounds for this issue.

INFO

Published Date :

2024-06-20T22:18:35.552Z

Last Modified :

2024-08-02T04:04:25.268Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-38361 vulnerability.

Vendors Products
Authzed
  • Spicedb
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-38361.

URL Resource
https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb cve-icon cve-icon
https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact