CVE Catalog

CVE-2023-35930

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

SpiceDB, a Google Zanzibar-inspired database system, has an issue with negative authorization decisions using the `LookupResources` request in version 1.22.0. Users may incorrectly gain access to resources that should be blocked.

Risk Assessment

The organization may be exposed to unauthorized access to resources, potentially leading to serious security breaches. Specifically, improper authorization decisions could threaten data integrity.

Recommendation

It is recommended to upgrade to version 1.22.2 to mitigate this vulnerability. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.

Original NVD description (English source)

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that's what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS