CVE-2024-38361

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to 1.33.1

Description The issue is related to incorrect permission handling in SpiceDB, which can lead to a situation where a user is reported as not having access to a resource when they actually do. This occurs when an exclusion is used under an arrow with multiple resources, resulting in NO PERMISSION being returned when PERMISSION is expected. The problem arises when a resource exists under multiple folders and the user has access to view more than one folder, causing SpiceDB to fail in requesting all folders where the user is a member. This issue affects the CheckPermission API.

Recommendations For versions prior to 1.33.1, upgrade to version 1.33.1 to resolve the issue. As a temporary workaround, consider restricting access to the CheckPermission API until the upgrade is applied. Avoid using exclusions under arrows with multiple resources in the permission schema until the issue is resolved.