Name of the Vulnerable Software and Affected Versions:

SpiceDB versions prior to 1.19.1

Description:

The issue is related to the SpiceDB database system, specifically with the `/debug/pprof/cmdline` endpoint served by the metrics service, which reveals command-line flags provided for debugging purposes. If a password is set via the `--grpc-preshared-key` flag, the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This can allow an attacker to gain unauthorized access to sensitive information. Users configuring SpiceDB via environment variables or following recommended best practices for production usage are not affected. However, users who expose their metrics port to an untrusted network and configure `--grpc-preshared-key` via command-line flag may be affected.

Recommendations:

To resolve the issue, consider the following:

- Configure the preshared key via an environment variable (e.g., `SPICEDB GRPC PRESHARED KEY=yoursecret spicedb serve`).

- Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g., `--metrics-addr=localhost:9090`).

- Disable the metrics service via the flag (e.g., `--metrics-enabled=false`).

- Adopt one of the recommended deployment models: Authzed's managed services or the SpiceDB Operator.