Skip to content

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission

Low severity GitHub Reviewed Published Sep 18, 2024 in authzed/spicedb • Updated Sep 19, 2024

Package

gomod github.com/authzed/spicedb (Go)

Affected versions

< 1.35.3

Patched versions

1.35.3

Description

Background

Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected

For example, given this schema:

definition user {}

caveat somecaveat(somefield int) {
  somefield == 42
}

definition group {
  relation member: user
}

definition resource {
  relation viewer: group#member with somecaveat
  permission view = folder->view
}

If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected.

Impact

Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.

Workarounds

Do not use caveats or do not use caveats on an indirect subject type with multiple entries

References

@josephschorr josephschorr published to authzed/spicedb Sep 18, 2024
Published to the GitHub Advisory Database Sep 18, 2024
Reviewed Sep 18, 2024
Published by the National Vulnerability Database Sep 18, 2024
Last updated Sep 19, 2024

Severity

Low

EPSS score

0.043%
(10th percentile)

CVE ID

CVE-2024-46989

GHSA ID

GHSA-jhg6-6qrx-38mr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.