CVE-2024-48909

Name of the Vulnerable Software and Affected Versions SpiceDB versions 1.35.0 through 1.37.0

Description SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Clients that have enabled LookupResources2 and have caveats in the evaluation path for their requests can return a permissionship of CONDITIONAL with context marked as missing, even when the context was supplied. This issue occurs because LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0.

Recommendations For SpiceDB versions 1.35.0 through 1.37.0, disable LookupResources2 via the --enable-experimental-lookup-resources flag by setting it to false. For SpiceDB versions prior to 1.37.1, update to SpiceDB 1.37.1 to resolve the issue.