CVE-2024-46989

Summary

CVE-2024-46989 affects the Open Source permissions database, SpiceDB, which is designed for fine-grained authorization in applications. The vulnerability arises from multiple caveats applied to the same indirect subject type within the CheckPermission API, potentially resulting in a "no permission" response when access is expected. This issue has been resolved in version 1.35.3 of SpiceDB, and users are strongly encouraged to upgrade to this version. For those unable to upgrade, it is advised to avoid using caveats or refrain from applying them on indirect subject types with multiple entries. The vulnerability is rated as low severity (base score of 3.7) but has high attack complexity and could expose organizations to improper privilege management risks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.