Home > Vulnerability Database > CVE-2023-35930

Mend.io Vulnerability Database

CVE-2023-35930

Good to know:

Date: June 26, 2023

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that's what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.

Language: Go

Severity Score

5.4

Related Resources (4)

Url: https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-35930

Url: https://github.com/authzed/spicedb/pull/1397

Url: https://www.mend.io/vulnerability-database/CVE-2023-35930

Severity Score

5.4

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Top Fix

Upgrade Version

Upgrade to version v1.22.1

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-35930

Good to know:

Date: June 26, 2023

Language: Go

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?