Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-cwwm-hr97-qfxm

Опубликовано: 06 июн. 2025
Источник: github
Github: Прошло ревью
CVSS3: 3.7

Описание

SpiceDB checks involving relations with caveats can result in no permission when permission is expected

Impact

On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.

For example, given this schema:

definition user {} definition office { relation parent: office relation manager: user permission read = manager + parent->read } definition group { relation parent: office permission read = parent->read } definition document { relation owner: group with equals permission read = owner->read } caveat equals(actual string, required string) { actual == required }

and these relationships:

office:headoffice#manager@user:maria office:branch1#parent@office:headoffice group:admins#parent@office:branch1 group:managers#parent@office:headoffice document:budget#owner@group:admins[equals:{"required":"admin"}] document:budget#owner@group:managers[equals:{"required":"manager"}]

Permission for 'document:budget#read@user:maria with {"actual" : "admin"}' is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.

Patches

Upgrade to v1.44.2.

Workarounds

Do not use caveats in your schema over an arrow’ed relation.

Ссылки

Пакеты

Наименование

github.com/authzed/spicedb

go
Затронутые версииВерсия исправления

<= 1.44.0

1.44.2

EPSS

Процентиль: 7%
0.00028
Низкий

3.7 Low

CVSS3

CVE ID

CVE-2025-49011

Дефекты

CWE-358

Связанные уязвимости

nvd логотип

CVE-2025-49011

CVSS3: 3.7
nvd
8 месяцев назад

SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.

EPSS

Процентиль: 7%
0.00028
Низкий

3.7 Low

CVSS3

CVE ID

CVE-2025-49011

Дефекты

CWE-358