Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-grjv-gjgr-66g2 #2939

Closed
GoVulnBot opened this issue Jun 20, 2024 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/authzed/spicedb: GHSA-grjv-gjgr-66g2 #2939

GoVulnBot opened this issue Jun 20, 2024 · 3 comments
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-grjv-gjgr-66g2 references a vulnerability in the following Go modules:

Module
github.com/authzed/spicedb

Description:

Background

Use of an exclusion under an arrow that has multiple resources may resolve to
NO_PERMISSION when permission is expected.

For example, given this schema:


definition folder { relation member: user relation banned: user permission view
= member - banned }

definition resource { relation folder: folder permission view = folder->view }

If the resource exists under multiple folders and the user has access to view
more than a single folder, SpiceDB may report the user does not have access due
to a failure in the exclusion dispatcher to request tha...

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/authzed/spicedb
      versions:
        - fixed: 1.33.1
      vulnerable_at: 1.33.0
      packages:
        - package: github.com/authzed/spicedb
summary: SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb
ghsas:
    - GHSA-grjv-gjgr-66g2
references:
    - advisory: https://github.com/advisories/GHSA-grjv-gjgr-66g2
    - advisory: https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2
    - fix: https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb
source:
    id: GHSA-grjv-gjgr-66g2
    created: 2024-06-20T17:01:17.528606568Z
review_status: UNREVIEWED
@tatianab tatianab self-assigned this Jun 25, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/594901 mentions this issue: data/reports: add 18 unreviewed reports

@tatianab tatianab mentioned this issue Jun 27, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/595636 mentions this issue: data/reports: add 15 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606359 mentions this issue: data/reports: regenerate 50 reports

gopherbot pushed a commit that referenced this issue Aug 19, 2024
@tatianab @gopherbot
data/reports: regenerate 50 reports
4c06ac4 
  - data/reports/GO-2024-2642.yaml
  - data/reports/GO-2024-2644.yaml
  - data/reports/GO-2024-2645.yaml
  - data/reports/GO-2024-2664.yaml
  - data/reports/GO-2024-2665.yaml
  - data/reports/GO-2024-2675.yaml
  - data/reports/GO-2024-2684.yaml
  - data/reports/GO-2024-2690.yaml
  - data/reports/GO-2024-2697.yaml
  - data/reports/GO-2024-2704.yaml
  - data/reports/GO-2024-2707.yaml
  - data/reports/GO-2024-2718.yaml
  - data/reports/GO-2024-2719.yaml
  - data/reports/GO-2024-2728.yaml
  - data/reports/GO-2024-2741.yaml
  - data/reports/GO-2024-2752.yaml
  - data/reports/GO-2024-2757.yaml
  - data/reports/GO-2024-2769.yaml
  - data/reports/GO-2024-2792.yaml
  - data/reports/GO-2024-2801.yaml
  - data/reports/GO-2024-2815.yaml
  - data/reports/GO-2024-2843.yaml
  - data/reports/GO-2024-2844.yaml
  - data/reports/GO-2024-2847.yaml
  - data/reports/GO-2024-2848.yaml
  - data/reports/GO-2024-2851.yaml
  - data/reports/GO-2024-2852.yaml
  - data/reports/GO-2024-2854.yaml
  - data/reports/GO-2024-2855.yaml
  - data/reports/GO-2024-2856.yaml
  - data/reports/GO-2024-2857.yaml
  - data/reports/GO-2024-2858.yaml
  - data/reports/GO-2024-2866.yaml
  - data/reports/GO-2024-2867.yaml
  - data/reports/GO-2024-2877.yaml
  - data/reports/GO-2024-2886.yaml
  - data/reports/GO-2024-2891.yaml
  - data/reports/GO-2024-2898.yaml
  - data/reports/GO-2024-2901.yaml
  - data/reports/GO-2024-2902.yaml
  - data/reports/GO-2024-2905.yaml
  - data/reports/GO-2024-2911.yaml
  - data/reports/GO-2024-2917.yaml
  - data/reports/GO-2024-2919.yaml
  - data/reports/GO-2024-2922.yaml
  - data/reports/GO-2024-2939.yaml
  - data/reports/GO-2024-2941.yaml
  - data/reports/GO-2024-2972.yaml
  - data/reports/GO-2024-2981.yaml
  - data/reports/GO-2024-2987.yaml

Updates #2642
Updates #2644
Updates #2645
Updates #2664
Updates #2665
Updates #2675
Updates #2684
Updates #2690
Updates #2697
Updates #2704
Updates #2707
Updates #2718
Updates #2719
Updates #2728
Updates #2741
Updates #2752
Updates #2757
Updates #2769
Updates #2792
Updates #2801
Updates #2815
Updates #2843
Updates #2844
Updates #2847
Updates #2848
Updates #2851
Updates #2852
Updates #2854
Updates #2855
Updates #2856
Updates #2857
Updates #2858
Updates #2866
Updates #2867
Updates #2877
Updates #2886
Updates #2891
Updates #2898
Updates #2901
Updates #2902
Updates #2905
Updates #2911
Updates #2917
Updates #2919
Updates #2922
Updates #2939
Updates #2941
Updates #2972
Updates #2981
Updates #2987

Change-Id: I2dff127628eabc7c25afa4020c15a4d35a46a2c4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606359
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
This was referenced Sep 18, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot