CVE-2023-35930 : What You Need to Know

This article provides an overview of CVE-2023-35930, a vulnerability in LookupResources in SpiceDB that may return partial results, impacting version 1.22.0.

Understanding CVE-2023-35930

This CVE highlights an improper control of dynamically-managed code resources in SpiceDB's

LookupResources

functionality.

What is CVE-2023-35930?

SpiceDB, an open-source database system for security-critical application permissions, is affected by this vulnerability. When making negative authorization decisions based on

LookupResources

results in version 1.22.0, users may experience unexpected access control issues.

The Impact of CVE-2023-35930

Users relying on

LookupResources

for negative authorization decisions may face unpredictable access control outcomes, potentially allowing unauthorized access to resources or denying access to legitimate users.

Technical Details of CVE-2023-35930

This section provides more insight into the vulnerability affecting SpiceDB version 1.22.0.

Vulnerability Description

The vulnerability arises from how

LookupResources

processes requests, leading to unexpected authorization decisions that may compromise access control.

Affected Systems and Versions

Vendor: authzed
Product: spicedb
Affected Version: 1.22.0

Exploitation Mechanism

Users leveraging

LookupResources

in version 1.22.0 for negative authorization decisions may inadvertently grant unauthorized access or restrict legitimate users.

Mitigation and Prevention

To address and prevent the vulnerabilities associated with CVE-2023-35930, users are advised to take the following actions:

Immediate Steps to Take

Upgrade to version 1.22.2 of SpiceDB to mitigate the vulnerability.

Long-Term Security Practices

Avoid using

LookupResources

for negative authorization decisions until the upgrade to version 1.22.2 is completed.

Patching and Updates

Users unable to update to version 1.22.2 should refrain from relying on

LookupResources

for negative authorization decisions.