CVE-2022-21646 Information

Description

SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as ccessible\ if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In v1.3.0 the wildcard is ignored entirely in lookup’s dispatch resulting in the banned wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround don’t make use of wildcards on the right side of intersections or within exclusions.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Reference

https://github.com/authzed/spicedb/issues/358 https://github.com/authzed/spicedb/releases/tag/v1.4.0 https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92 https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1