Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected
For example, given this schema:
definition user {}
caveat somecaveat(somefield int) {
somefield == 42
}
definition group {
relation member: user
}
definition resource {
relation viewer: group#member with somecaveat
permission view = folder->view
}
If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/authzed/spicedb
versions:
- fixed: 1.35.3
vulnerable_at: 1.35.2
summary: |-
SpiceDB having multiple caveats on resources of the same type may improperly
result in no permission in github.com/authzed/spicedb
cves:
- CVE-2024-46989
ghsas:
- GHSA-jhg6-6qrx-38mr
references:
- advisory: https://github.com/advisories/GHSA-jhg6-6qrx-38mr
- advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr
- fix: https://github.com/authzed/spicedb/commit/20855de75812bcbc975efebe7f76abf47c0f3edb
source:
id: GHSA-jhg6-6qrx-38mr
created: 2024-09-18T18:01:26.58126039Z
review_status: UNREVIEWED
Advisory GHSA-jhg6-6qrx-38mr references a vulnerability in the following Go modules:
Description:
Background
Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected
For example, given this schema:
If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected.
Impact
...
References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.