Spicedb
CVE-2024-27101
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2.
AnalysisAI
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Technical ContextAI
This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2. Affected products include: Authzed Spicedb.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.
Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for custom
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical applica
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application per
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for custom
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical applica
SpiceDB is a graph database purpose-built for storing and evaluating access control data. Rated medium severity (CVSS 4.
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Rated low severity
SpiceDB is an open source database system for creating and managing security-critical application permissions. Rated low
SpiceDB is an open source database system for creating and managing security-critical application permissions. Rated low
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today