Vulnerability Details : CVE-2023-29193
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key` which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This issue has been fixed in version 1.19.1.
### Impact
All deployments abiding by the recommended best practices for production usage are **NOT affected**:
- Authzed's SpiceDB Serverless
- Authzed's SpiceDB Dedicated
- SpiceDB Operator
Users configuring SpiceDB via environment variables are **NOT affected**.
Users **MAY be affected** if they expose their metrics port to an untrusted network and are configuring `--grpc-preshared-key` via command-line flag.
### Patches
TODO
### Workarounds
To workaround this issue you can do one of the following:
- Configure the preshared key via an environment variable (e.g. `SPICEDB_GRPC_PRESHARED_KEY=yoursecret spicedb serve`)
- Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g. `--metrics-addr=localhost:9090`)
- Disable the metrics service via the flag (e.g. `--metrics-enabled=false`)
- Adopt one of the recommended deployment models: [Authzed's managed services](https://authzed.com/pricing) or the [SpiceDB Operator](https://github.com/authzed/spicedb-operator)
### References
- [GitHub Security Advisory issued for SpiceDB](https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6)
- [Go issue #22085](https://github.com/golang/go/issues/22085) for documenting the risks of exposing pprof to the internet
- [Go issue #42834](https://github.com/golang/go/issues/42834) discusses preventing pprof registration to the default serve mux
- [semgrep rule go.lang.security.audit.net.pprof.pprof-debug-exposure](https://semgrep.dev/r?q=go.lang.security.audit.net.pprof) checks for a variation of this issue
### Credit
We'd like to thank Amit Laish, a security researcher at GE Vernova for responsibly disclosing this vulnerability.
Products affected by CVE-2023-29193
- cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29193
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29193
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
8.7
|
HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
2.3
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2023-29193
-
The product generates an error message that includes sensitive information about its environment, users, or associated data.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-29193
-
https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba33fe0236014f9b175d21232999
Merge pull request from GHSA-cjr9-mr35-7xh6 · authzed/spicedb@9bbd7d7 · GitHubPatch
-
https://github.com/authzed/spicedb/releases/tag/v1.19.1
Release v1.19.1 · authzed/spicedb · GitHubRelease Notes;Vendor Advisory
-
https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6
Binding metrics port to untrusted networks can leak command-line flags · Advisory · authzed/spicedb · GitHubVendor Advisory
Jump to