CVE-2024-27101
7.3
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H
Summary
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| authzed | spicedb | < 1.29.2 | affected |
Weaknesses
- CWE-190: CWE-190: Integer Overflow or Wraparound
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p
- https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe
References
- https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p
- https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.