x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-46989 #3132

GoVulnBot · 2024-09-18T19:01:28Z

Advisory CVE-2024-46989 references a vulnerability in the following Go modules:

Module
github.com/authzed/spicedb

Description:
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users...

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-46989
FIX: authzed/spicedb@d4ef8e1
WEB: GHSA-jhg6-6qrx-38mr

Cross references:

github.com/authzed/spicedb appears in 7 other report(s):
- data/reports/GO-2022-0295.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2022-21646 #295)
- data/reports/GO-2023-1723.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-cjr9-mr35-7xh6 #1723)
- data/reports/GO-2023-1871.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2023-35930 #1871)
- data/reports/GO-2023-2166.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2023-46255 #2166)
- data/reports/GO-2024-2597.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-27101 #2597)
- data/reports/GO-2024-2716.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-j85q-46hg-36p2 #2716)
- data/reports/GO-2024-2939.yaml (x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-grjv-gjgr-66g2 #2939)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/authzed/spicedb
      vulnerable_at: 1.35.3
summary: CVE-2024-46989 in github.com/authzed/spicedb
cves:
    - CVE-2024-46989
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46989
    - fix: https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2
    - web: https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr
source:
    id: CVE-2024-46989
    created: 2024-09-18T19:01:27.854217612Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

zpavlinovic · 2024-09-19T13:47:48Z

Duplicate of #3131

zpavlinovic added duplicate triaged labels Sep 19, 2024

zpavlinovic marked this as a duplicate of #3131 Sep 19, 2024

zpavlinovic mentioned this issue Sep 19, 2024

x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-jhg6-6qrx-38mr #3131

Closed

zpavlinovic self-assigned this Sep 19, 2024

zpavlinovic closed this as completed Sep 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-46989 #3132

x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-46989 #3132

GoVulnBot commented Sep 18, 2024

zpavlinovic commented Sep 19, 2024

x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-46989 #3132

x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-46989 #3132

Comments

GoVulnBot commented Sep 18, 2024

zpavlinovic commented Sep 19, 2024