Vroldanbet

**Name of the Vulnerable Software and Affected Versions** SpiceDB versions 1.35.0 through 1.37.0 **Description** SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even when the context was supplied. This issue occurs because `LookupResources2` is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. **Recommendations** For SpiceDB versions 1.35.0 through 1.37.0, disable `LookupResources2` via the `--enable-experimental-lookup-resources` flag by setting it to `false`. For SpiceDB versions prior to 1.37.1, update to SpiceDB 1.37.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SpiceDB versions 1.3.0 **Description** The issue concerns the handling of wildcard relationships in SpiceDB, specifically within `exclusion` or `intersection` operations. When a user utilizes a wildcard relationship under the right-hand branch of an `exclusion` or within an `intersection` operation, the `Lookup`/`LookupResources` function may return a resource as "accessible" even if it is not accessible due to the inclusion of the wildcard. This occurs because the wildcard is ignored entirely in lookup's dispatch in version 1.3.0, resulting in the `banned` wildcard being ignored in the exclusion. **Recommendations** For version 1.3.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, do not make use of wildcards on the right side of intersections or within exclusions.