CVE-2023-46255

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to 1.27.0-rc1

Description SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. When the provided datastore URI is malformed, such as having a password that contains a colon (:), the full URI, including the provided password, is printed, resulting in the password being shown in the logs.

Recommendations For SpiceDB versions prior to 1.27.0-rc1, update to version 1.27.0-rc1 or later to resolve the issue. As a temporary workaround, consider sanitizing log outputs to prevent exposure of sensitive information, such as passwords, until a patch is applied. Restrict access to log files to minimize the risk of exploitation. Avoid using passwords that contain special characters, such as colons, in datastore URIs until the issue is resolved.