CVE-2024-32001

low-risk

Published 2024-04-10

SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for either `folder` or `folder#parent`. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

Do I need to act?

0.23% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.2/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Spicedb

Affected Vendors

Authzed

References (6)

Patch https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c...

Release Notes https://github.com/authzed/spicedb/releases/tag/v1.30.1

Vendor Advisory https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2

Patch https://github.com/authzed/spicedb/commit/a244ed1edfaf2382711dccdb699971ec97190c...

Release Notes https://github.com/authzed/spicedb/releases/tag/v1.30.1

Vendor Advisory https://github.com/authzed/spicedb/security/advisories/GHSA-j85q-46hg-36p2

/ 100

low-risk

Severity 9/34 · Low

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal