Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used
Vulnerability Description
SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for either `folder` or `folder#parent`. This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation. Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected. Version 1.30.1 contains a patch for the issue. As a workaround, avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
对异常条件的处理不恰当
Vulnerability Title
SpiceDB 安全漏洞
Vulnerability Description
SpiceDB是受 Google Zanzibar 启发的细粒度权限数据库。 SpiceDB v1.30.1 之前版本存在安全漏洞,该漏洞源于如果使用特定类型的关系,LookupSubjects 可能会返回部分敏感信息。
CVSS Information
N/A
Vulnerability Type
N/A