Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Permissions processing error in spacedb
Vulnerability Description
Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned. Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. This issue has been addressed in version 1.33.1. All users are advised to upgrade. There are no known workarounds for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
权限预留不恰当
Vulnerability Title
Spicedb 安全漏洞
Vulnerability Description
SpiceDB是受 Google Zanzibar 启发的细粒度权限数据库。 Spicedb v1.33.1之前版本存在安全漏洞,该漏洞源于如果资源存在于多个文件夹下,并且用户有权查看多个文件夹,则 SpiceDB 可能会报告用户无权访问,因为排除调度程序无法请求返回用户所属的所有文件夹。
CVSS Information
N/A
Vulnerability Type
N/A