Vulnerability DatabaseCVE-2024-48909
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-48909
October 14, 2024
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.
Affected Packages
github.com/authzed/spicedb (GO):
Affected version(s) >=v1.35.0 <v1.37.1
Fix Suggestion:
Update to version v1.37.1
Related Resources (4)
https://github.com/authzed/spicedb
https://nvd.nist.gov/vuln/detail/CVE-2024-48909
https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj
https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853
Do you need more information?
Contact Us
CVSS v4
Base Score:
2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
2
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Encoding Error
CWE-172
EPSS
Base Score:
0.08