CVE-2024-32001 Information

Apr 11, 2024 cve

Description

SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: relation folder: folder | folderparent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folderparent. This bug only manifests if the same subject type is used multiple types in a relation relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

Reference

https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2 https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c7b https://github.com/authzed/spicedb/releases/tag/v1.30.1

Share on: