Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/authzed/spicedb: CVE-2024-46989 #3132

Closed
GoVulnBot opened this issue Sep 18, 2024 · 1 comment
Closed
Assignees

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-46989 references a vulnerability in the following Go modules:

Module
github.com/authzed/spicedb

Description:
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. This issue has been addressed in release version 1.35.3. Users...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/authzed/spicedb
      vulnerable_at: 1.35.3
summary: CVE-2024-46989 in github.com/authzed/spicedb
cves:
    - CVE-2024-46989
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-46989
    - fix: https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2
    - web: https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr
source:
    id: CVE-2024-46989
    created: 2024-09-18T19:01:27.854217612Z
review_status: UNREVIEWED

@zpavlinovic
Copy link
Contributor

Duplicate of #3131

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants