CVE-2024-48909

Summary

CVE-2024-48909 affects SpiceDB versions 1.35.0 to 1.37.1, where clients with the LookupResources2 feature enabled can incorrectly return a permissionship of CONDITIONAL despite provided context being marked as missing. This vulnerability poses a low confidentiality risk but requires high privileges and user interaction to exploit, making the attack complexity high. It has been patched in version 1.37.1 of SpiceDB, and users are advised to either upgrade to this version or disable LookupResources2 using the --enable-experimental-lookup-resources=false flag as an alternative workaround. The potential danger includes unauthorized access or manipulation of authorization data, which could lead to security breaches within an organization. Affected products include a wide range of identifiers such as zeRf5J, wk2GUQ, and others listed in the advisory.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.