Today > | 3 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-48909

Oct. 17, 2024, 5:56 p.m.

CVSS Score

2.4 / 10

Products Impacted

Vendor Product Versions
authzed
  • spicedb
  • *

Description

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

Weaknesses

CWE-172
Encoding Error

The product does not properly encode or decode the data, resulting in unexpected values.

CWE ID: 172

Date

Published: Oct. 14, 2024, 9:15 p.m.

Last Modified: Oct. 17, 2024, 5:56 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a authzed spicedb / / / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

Base Score
2.4
Exploitability Score
0.9
Impact Score
1.4
Base Severity
LOW
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

References

https://github.com/ security-advisories@github.com

https://github.com/ security-advisories@github.com