x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2023-35930

[GoVulnBot]

CVE-2023-35930 references github.com/authzed/spicedb, which may be a Go module.

Description:
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a LookupResources request with 1.22.0 is affected. For example, using LookupResources to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using LookupResources to find a list of banned resources instead, then some users that shouldn't have access may. Generally, LookupResources is not and should not be to gate access in this way - that's what the Check API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using LookupResources for negative authorization decisions.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-35930
• JSON: https://github.com/CVEProject/cvelist/tree/5ecf69745f696849e5c7faf5fb8aae6e2b12cabc/2023/35xxx/CVE-2023-35930.json
• advisory: GHSA-m54h-5x5f-5m6r
• fix: Further fixes to context handling in LookupResources and performance improvements authzed/spicedb#1397
• Imported by: https://pkg.go.dev/github.com/authzed/spicedb?tab=importedby

Cross references:

• Module github.com/authzed/spicedb appears in issue x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2022-21646 #295 EFFECTIVELY_PRIVATE
• Module github.com/authzed/spicedb appears in issue x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-cjr9-mr35-7xh6 #1723 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/authzed/spicedb
      packages:
        - package: spicedb
description: |-
    SpiceDB is an open source, Google Zanzibar-inspired, database system for
    creating and managing security-critical application permissions. Any user making
    a negative authorization decision based on the results of a `LookupResources`
    request with 1.22.0 is affected. For example, using `LookupResources` to find a
    list of resources to allow access to be okay: some subjects that should have
    access to a resource may not. But if using `LookupResources` to find a list of
    banned resources instead, then some users that shouldn't have access may.
    Generally, `LookupResources` is not and should not be to gate access in this way
    - that's what the `Check` API is for. Additionally, version 1.22.0 has included
    a warning about this bug since its initial release. Users are advised to upgrade
    to version 1.22.2. Users unable to upgrade should avoid using `LookupResources`
    for negative authorization decisions.
cves:
    - CVE-2023-35930
references:
    - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r
    - fix: https://github.com/authzed/spicedb/pull/1397

[gopherbot]

Change https://go.dev/cl/507896 mentions this issue: data/excluded: batch add 10 excluded reports

[gopherbot]

Change https://go.dev/cl/507901 mentions this issue: data/excluded: batch add 8 excluded reports

[gopherbot]

Change https://go.dev/cl/507904 mentions this issue: data/excluded: batch add 8 excluded reports

[gopherbot]

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606787 mentions this issue: data/reports: unexclude 20 reports (7)