CVE-2024-48909 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-48909 PUBLISHED CVSS 2 LOW

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

EPSS 0.11% · 30.0th percentile

Risk Scores

CVSS v3.1

2

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

EPSS Score

0.11%

30.0th percentile

Affected Products

Vendor	Product	Versions
authzed	spicedb	>= 1.35.0, < 1.37.1, 1.35.0, >= 1.35.0, < 1.37.1
github.com	authzed/spicedb	1.35.0, 1.35.0

Timeline

Jan 21, 1970 Security Advisory
Oct 14, 2024 CVE Published
Oct 15, 2024 EPSS Score
Oct 15, 2024 PoC Published
Oct 16, 2024 Coalition ESS Score
Oct 17, 2024 Coalition ESS Score
Nov 2, 2024 EPSS Score
Nov 20, 2024 EPSS Score
Dec 9, 2024 EPSS Score
Dec 27, 2024 EPSS Score
Jan 15, 2025 EPSS Score
Feb 2, 2025 EPSS Score

References

Open in Interactive Console →