CVE-2023-35930
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
SpiceDB, a Google Zanzibar-inspired database system, has an issue with negative authorization decisions using the `LookupResources` request in version 1.22.0. Users may incorrectly gain access to resources that should be blocked.
Risk Assessment
The organization may be exposed to unauthorized access to resources, potentially leading to serious security breaches. Specifically, improper authorization decisions could threaten data integrity.
Recommendation
It is recommended to upgrade to version 1.22.2 to mitigate this vulnerability. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.
Original NVD description (English source)
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that's what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.

