CVE-2023-35930

Summary

CVE-2023-35930 is a vulnerability affecting SpiceDB, an open-source database system used for managing security-critical application permissions. With the version 1.22.0, any user making a negative authorization decision based on the results of a `LookupResources` request can incorrectly grant access to resources. This occurs because `LookupResources` is being used inappropriately to deny access instead of the intended `Check` API. The issue can result in some users who should not have access being granted it. SpiceDB has issued a warning about this bug since the initial release and advises users to upgrade to version 1.22.2. Those unable to upgrade should refrain from using `LookupResources` for negative authorization decisions.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.