{"id":"GHSA-jhg6-6qrx-38mr","summary":"SpiceDB having multiple caveats on resources of the same type may improperly result in no permission","details":"## Background\n\nMultiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected\n\nFor example, given this schema:\n\n```\ndefinition user {}\n\ncaveat somecaveat(somefield int) {\n  somefield == 42\n}\n\ndefinition group {\n  relation member: user\n}\n\ndefinition resource {\n  relation viewer: group#member with somecaveat\n  permission view = folder-\u003eview\n}\n```\n\nIf the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be \"no permission\" when permission is expected.\n\n## Impact\nPermission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.\n\n## Workarounds\nDo not use caveats or do not use caveats on an indirect subject type with multiple entries","aliases":["CVE-2024-46989","GO-2024-3131"],"modified":"2024-11-18T16:27:14Z","published":"2024-09-18T17:42:46Z","database_specific":{"github_reviewed_at":"2024-09-18T17:42:46Z","nvd_published_at":"2024-09-18T18:15:07Z","cwe_ids":["CWE-269","CWE-285"],"severity":"MODERATE","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/authzed/spicedb/security/advisories/GHSA-jhg6-6qrx-38mr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46989"},{"type":"WEB","url":"https://github.com/authzed/spicedb/commit/20855de75812bcbc975efebe7f76abf47c0f3edb"},{"type":"WEB","url":"https://github.com/authzed/spicedb/commit/d4ef8e1dbce1eafaf25847f4c0f09738820f5bf2"},{"type":"PACKAGE","url":"https://github.com/authzed/spicedb"}],"affected":[{"package":{"name":"github.com/authzed/spicedb","ecosystem":"Go","purl":"pkg:golang/github.com/authzed/spicedb"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.35.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-jhg6-6qrx-38mr/GHSA-jhg6-6qrx-38mr.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}