x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2023-46255 #2166
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
neild
added
the
excluded: EFFECTIVELY_PRIVATE
|
Change https://go.dev/cl/539339 mentions this issue: |
This was referenced Apr 10, 2024
|
Change https://go.dev/cl/592763 mentions this issue: |
This was referenced Jun 20, 2024
|
Change https://go.dev/cl/606792 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-2097.yaml - data/reports/GO-2023-2109.yaml - data/reports/GO-2023-2121.yaml - data/reports/GO-2023-2125.yaml - data/reports/GO-2023-2134.yaml - data/reports/GO-2023-2135.yaml - data/reports/GO-2023-2136.yaml - data/reports/GO-2023-2156.yaml - data/reports/GO-2023-2159.yaml - data/reports/GO-2023-2166.yaml - data/reports/GO-2023-2170.yaml - data/reports/GO-2023-2176.yaml - data/reports/GO-2023-2188.yaml - data/reports/GO-2023-2329.yaml - data/reports/GO-2023-2330.yaml - data/reports/GO-2023-2332.yaml - data/reports/GO-2023-2335.yaml - data/reports/GO-2023-2336.yaml - data/reports/GO-2023-2337.yaml - data/reports/GO-2023-2338.yaml Updates #2097 Updates #2109 Updates #2121 Updates #2125 Updates #2134 Updates #2135 Updates #2136 Updates #2156 Updates #2159 Updates #2166 Updates #2170 Updates #2176 Updates #2188 Updates #2329 Updates #2330 Updates #2332 Updates #2335 Updates #2336 Updates #2337 Updates #2338 Change-Id: I5fc55dacf7cdfd2512c00f07abfc0debfde9263f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606792 LUCI-TryBot-Result: Go LUCI <[email protected]> Commit-Queue: Tatiana Bradley <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]>
This was referenced Sep 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-46255 references github.com/authzed/spicedb, which may be a Go module.
Description:
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0, when the provided datastore URI is malformed (e.g. by having a password which contains
:) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0 patches this issue.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: