CVE-2024-38361

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-38361
Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned. Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. This issue has been addressed in version 1.33.1. All users are advised to upgrade. There are no known workarounds for this issue.

3.7 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb
https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2
https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb
https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2
Configurations

No configuration.

History

21 Nov 2024, 09:25

Type Values Removed Values Added
Summary
  • (es) Spicedb es una base de datos de permisos de código abierto inspirada en Google Zanzíbar para permitir una autorización detallada para las aplicaciones de los clientes. El uso de una exclusión debajo de una flecha que tiene múltiples recursos puede resolverse como "NO_PERMISSION" cuando se espera permiso. Si el recurso existe en *múltiples* carpetas y el usuario tiene acceso para ver más de una carpeta, SpiceDB puede informar que el usuario no tiene acceso debido a una falla en el despachador de exclusión al solicitar que *todas* las carpetas en las que se encuentra el recurso. El usuario es miembro y se devolverá. El permiso se devuelve como "NO_PERMISSION" cuando se espera "PERMISSION" en la API "CheckPermission". Este problema se solucionó en la versión 1.33.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para este problema.
References () https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb - () https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb -
References () https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2 - () https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2 -

20 Jun 2024, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-20 23:15

Updated : 2024-11-21 09:25

NVD link : CVE-2024-38361

Mitre link : CVE-2024-38361

CVE.ORG link : CVE-2024-38361

JSON object : View

Products Affected

No product.

CWE
CWE-281

Improper Preservation of Permissions


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024