Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected.
For example, given this schema:
definition user {}
definition folder {
relation member: user
relation banned: user
permission view = member - banned
}
definition resource {
relation folder: folder
permission view = folder->view
}
If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned
Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.
None
| Score | Percentile |
|---|---|
| 0.19% | 41.08% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 3.7 | 3.1 | — |
|
| 6.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-grjv-gjgr-66g2 ↗ |
| CVE | CVE-2024-38361 ↗ |
| CWE id | Name |
|---|---|
| CWE-281 | Improper Preservation of Permissions |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/authzed/spicedb | < 1.33.1 | 1.33.1 | — |