CVE-2022-21646

Name of the Vulnerable Software and Affected Versions SpiceDB versions 1.3.0

Description The issue concerns the handling of wildcard relationships in SpiceDB, specifically within exclusion or intersection operations. When a user utilizes a wildcard relationship under the right-hand branch of an exclusion or within an intersection operation, the Lookup/LookupResources function may return a resource as "accessible" even if it is not accessible due to the inclusion of the wildcard. This occurs because the wildcard is ignored entirely in lookup's dispatch in version 1.3.0, resulting in the banned wildcard being ignored in the exclusion.

Recommendations For version 1.3.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, do not make use of wildcards on the right side of intersections or within exclusions.