GHSA-mqcf-gqvg-rmhmLow
SpiceDB: Caveat structures with nested lists can result in improper cache reuse
🔗 CVE IDs covered (1)
📋 Description
Impact
Users are impacted if:
- They have a caveat structure with a nested list, e.g.:
caveat shape(x list<any>) {
x == [["a"], "b"]
}
- Their system exercises that caveat with either CheckBulkPermission or else LookupResources running with the
--experimental-lookup-resources-versionflag set tolr3, implying they are using the experimental version 3 ofLookupResources - An attacker can cause the system to craft a request to SpiceDB where either:
- It's a
CheckBulkrequest where there are two check items that are identical except for their combined caveat context, and one of the caveat contexts evaluates positively and the other evaluates negatively - It's a
LookupResourcesrequest where two resources have the same evaluation contents except for their caveat context, and one would evaluate positively and the other would evaluate negatively
- It's a
If all of the above are true, it would be possible for SpiceDB to erroneously return that a user has access to a resource that they do not have access to.
Patches
This problem was addressed in https://github.com/authzed/spicedb/pull/3065 and released in version v1.52.0.
Workarounds
If using v3 of LookupResources, turn the flag off.
If possible, refactor the caveat declaration structure so that it does not operate on a list of lists, but rather any other composite structure.
🎯 Affected products1
- go/github.com/authzed/spicedb:>= 1.15.0, < 1.52.0