Vulnerability Details : CVE-2022-21646
SpiceDB is a database system for managing security-critical application permissions. Any user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as "accessible" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion. In `v1.3.0`, the wildcard is ignored entirely in lookup's dispatch, resulting in the `banned` wildcard being ignored in the exclusion. Version 1.4.0 contains a patch for this issue. As a workaround, don't make use of wildcards on the right side of intersections or within exclusions.
Vulnerability category: Input validation
Products affected by CVE-2022-21646
- cpe:2.3:a:authzed:spicedb:1.3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21646
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21646
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-21646
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-21646
-
https://github.com/authzed/spicedb/issues/358
unexpected expand/lookup behaviour with wildcard permissions · Issue #358 · authzed/spicedb · GitHubThird Party Advisory
-
https://github.com/authzed/spicedb/releases/tag/v1.4.0
Release v1.4.0 · authzed/spicedb · GitHubRelease Notes;Third Party Advisory
-
https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92
Lookup operations do not take into account wildcards in intersections or exclusions · Advisory · authzed/spicedb · GitHubThird Party Advisory
-
https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970
Merge pull request from GHSA-7p8f-8hjm-wm92 · authzed/spicedb@15bba2e · GitHubPatch;Third Party Advisory
Jump to