CVE-2024-48909: SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not

October 14, 2024

Clients that have enabled LookupResources2 and have caveats in the evaluation path for their requests can return a permissionship of CONDITIONAL with context marked as missing, even then the context was supplied.

LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0

References

github.com/advisories/GHSA-3c32-4hq9-6wgj
github.com/authzed/spicedb
github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853
github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj
nvd.nist.gov/vuln/detail/CVE-2024-48909

Code Behaviors & Features

Detect and mitigate CVE-2024-48909 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →