Launch Week Day 1: Announcing Security Design Review
Start for Free
LOW 3.7 Go

SpiceDB exclusions can result in no permission returned when permission expected

GHSA-grjv-gjgr-66g2 · CVE-2024-38361 · GO-2024-2939

Published · Modified

Description

Background

Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected.

For example, given this schema:

definition user {}

definition folder {
  relation member: user
  relation banned: user
  permission view = member - banned
}

definition resource {
  relation folder: folder
  permission view = folder->view
}

If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned

Impact

Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.

Workarounds

None

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes