CVE-2024-48909 — Vulnetix

CVE-2024-48909 PUBLISHED CVSS 2 LOW

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

EPSS 0.11% · 29.7th percentile

Risk Scores

CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

EPSS Score

0.11%

29.7th percentile

Affected Products

Vendor	Product	Versions
authzed	spicedb	>= 1.35.0, < 1.37.1, 1.35.0, >= 1.35.0, < 1.37.1
github.com	authzed/spicedb	1.35.0, 1.35.0

Exploit Intelligence

CIRCL seen: CVE-2024-48909 (circl-sighting)
https://github.com/authzed/spicedb/security/advisories/GHSA-3c32-4hq9-6wgj (circl)
https://github.com/authzed/spicedb/commit/2f3cf77a7fcfcb478ef5a480a245842c96ac8853 (circl)

Timeline

Jan 21, 1970 Security Advisory
Oct 14, 2024 CVE Published
Oct 15, 2024 EPSS Score
Oct 15, 2024 PoC Published
Oct 16, 2024 Coalition ESS Score
Oct 17, 2024 Coalition ESS Score
Nov 3, 2024 EPSS Score
Nov 21, 2024 EPSS Score
Dec 11, 2024 EPSS Score
Dec 30, 2024 EPSS Score
Jan 17, 2025 EPSS Score
Feb 5, 2025 EPSS Score

References

Open in Interactive Console →