fkie_cve-2025-49011
Vulnerability from fkie_nvd
Published
2025-06-06 18:15
Modified
2025-06-09 12:15
Severity ?
Summary
SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow’ed relation.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SpiceDB is an open source database for storing and querying fine-grained authorization data. Prior to version 1.44.2, on schemas involving arrows with caveats on the arrow\u2019ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. Version 1.44.2 fixes the issue. As a workaround, do not use caveats in the schema over an arrow\u2019ed relation."
},
{
"lang": "es",
"value": "SpiceDB es una base de datos de c\u00f3digo abierto para almacenar y consultar datos de autorizaci\u00f3n detallados. Antes de la versi\u00f3n 1.44.2, en esquemas con flechas y advertencias en la relaci\u00f3n con flechas, cuando la ruta para resolver una solicitud CheckPermission implica la evaluaci\u00f3n de varias ramas con advertencias, las solicitudes pod\u00edan devolver una respuesta negativa cuando se esperaba una positiva. La versi\u00f3n 1.44.2 soluciona este problema. Como soluci\u00f3n alternativa, no utilice advertencias en el esquema sobre una relaci\u00f3n con flechas."
}
],
"id": "CVE-2025-49011",
"lastModified": "2025-06-09T12:15:47.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-06T18:15:35.497",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/authzed/spicedb/releases/tag/v1.44.2"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-358"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…