2318642 – (CVE-2024-48909) CVE-2024-48909 spicedb: SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not

Bug 2318642 (CVE-2024-48909) - CVE-2024-48909 spicedb: SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not

Summary: CVE-2024-48909 spicedb: SpiceDB calls to LookupResources using LookupResource...

Keywords:
Status:	NEW
Alias:	CVE-2024-48909
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-14 21:01 UTC by OSIDB Bzimport
Modified:	2024-10-15 13:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-14 21:01:32 UTC

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

Note You need to log in before you can comment on or make changes to this bug.