PT-2023-2479 · Spicedb · Spicedb
Amit-Laish
·
Published
2023-04-03
·
Updated
2024-08-20
·
CVE-2023-29193
CVSS v3.1
8.7
High
| Vector | AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
SpiceDB versions prior to 1.19.1
Description
The issue is related to the SpiceDB database system, specifically with the
/debug/pprof/cmdline endpoint served by the metrics service, which reveals command-line flags provided for debugging purposes. If a password is set via the --grpc-preshared-key flag, the key is revealed by this endpoint along with any other flags provided to the SpiceDB binary. This can allow an attacker to gain unauthorized access to sensitive information. Users configuring SpiceDB via environment variables or following recommended best practices for production usage are not affected. However, users who expose their metrics port to an untrusted network and configure --grpc-preshared-key via command-line flag may be affected.Recommendations
To resolve the issue, consider the following:
- Configure the preshared key via an environment variable (e.g.,
SPICEDB GRPC PRESHARED KEY=yoursecret spicedb serve). - Reconfigure the
--metrics-addrflag to bind to a trusted network (e.g.,--metrics-addr=localhost:9090). - Disable the metrics service via the flag (e.g.,
--metrics-enabled=false). - Adopt one of the recommended deployment models: Authzed's managed services or the SpiceDB Operator.
Exploit
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spicedb