CVE-2023-35930

Name of the Vulnerable Software and Affected Versions SpiceDB version 1.22.0

Description The issue affects users making negative authorization decisions based on the results of a LookupResources request. This can lead to incorrect access control, where some subjects may not have access to resources they should, or some users may have access to resources they should not. The LookupResources function is not intended for gating access and should be used in conjunction with the Check API. Version 1.22.0 includes a warning about this bug. Users are advised to upgrade to version 1.22.2 to resolve the issue.

Recommendations For SpiceDB version 1.22.0, upgrade to version 1.22.2 to resolve the issue. If unable to upgrade, avoid using LookupResources for negative authorization decisions as a temporary workaround.