Description

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

INFO

Published Date :

2024-10-14T20:22:17.777Z

Last Modified :

2024-10-15T14:45:43.494Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-48909 vulnerability.

Vendors Products
Authzed
  • Spicedb
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-48909.

URL Resource
https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853 cve-icon cve-icon
https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact