CVE-2023-46255 – `SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed
https://notcve.org/view.php?id=CVE-2023-46255
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue. SpiceDB es una base de datos de código abierto inspirada en Google Zanzíbar para crear y administrar permisos de aplicaciones críticas para la seguridad. Antes de la versión 1.27.0-rc1, cuando el URI del almacén de datos proporcionado tiene un formato incorrecto (por ejemplo, al tener una contraseña que contiene `:`), se imprime el URI completo (incluida la contraseña proporcionada), de modo que la contraseña se muestra en los registros. • https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8 https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-35930 – LookupResources may return partial results in spicedb
https://notcve.org/view.php?id=CVE-2023-35930
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that's what the `Check` API is for. • https://github.com/authzed/spicedb/pull/1397 https://github.com/authzed/spicedb/security/advisories/GHSA-m54h-5x5f-5m6r • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVE-2023-29193 – SpiceDB binding metrics port to untrusted networks and can leak command-line flags
https://notcve.org/view.php?id=CVE-2023-29193
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. • https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999 https://github.com/authzed/spicedb/releases/tag/v1.19.1 https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2022-21646 – Lookup operations do not take into account wildcards in SpiceDB
https://notcve.org/view.php?id=CVE-2022-21646
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions. • https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970 https://github.com/authzed/spicedb/issues/358 https://github.com/authzed/spicedb/releases/tag/v1.4.0 https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92 • CWE-20: Improper Input Validation CWE-155: Improper Neutralization of Wildcards or Matching Symbols •