VDB

CVE-2024-27101

CVE-2024-27101 PUBLISHED CVSS 7.300000190734863 HIGH

SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2.

EPSS 0.11% · 29.2th percentile

Risk Scores

CVSS v3.1
7.300000190734863
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H
EPSS Score
0.11%
29.2th percentile

Affected Products

VendorProductVersions
authzedspicedb< 1.29.2, 0
github.comauthzed/spicedb0

Timeline

  • Jan 21, 1970 Security Advisory
  • Mar 1, 2024 CVE Published
  • Mar 2, 2024 EPSS Score
  • Mar 28, 2024 EPSS Score
  • Apr 24, 2024 EPSS Score
  • May 20, 2024 EPSS Score
  • Jun 17, 2024 EPSS Score
  • Jul 13, 2024 EPSS Score
  • Aug 8, 2024 EPSS Score
  • Sep 4, 2024 EPSS Score
  • Sep 30, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›