GHSA-3c32-4hq9-6wgj

Suggest an improvement
Source
https://github.com/advisories/GHSA-3c32-4hq9-6wgj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-3c32-4hq9-6wgj/GHSA-3c32-4hq9-6wgj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3c32-4hq9-6wgj
Aliases
Published
2024-10-14T21:04:56Z
Modified
2024-10-15T16:11:55.210845Z
Severity
  • 2.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not
Details

Impact

Clients that have enabled LookupResources2 and have caveats in the evaluation path for their requests can return a permissionship of CONDITIONAL with context marked as missing, even then the context was supplied.

LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0

Patches

The bug will be released as part of SpiceDB 1.37.1

Workarounds

Disable LookupResources2 via the --enable-experimental-lookup-resources flag by setting it to false

--enable-experimental-lookup-resources=false
References

Affected packages

Go / github.com/authzed/spicedb

Package

Name
github.com/authzed/spicedb
View open source insights on deps.dev
Purl
pkg:golang/github.com/authzed/spicedb

Affected ranges

Type
SEMVER
Events
Introduced
1.35.0
Fixed
1.37.1