2.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32001

CVE-2024-32001: SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Background

Use of a relation of the form: relation folder: folder | folder#parent with an arrow such as folder->view can cause LookupSubjects to only return the subjects found under subjects for either folder or folder#parent.

This bug only manifests if the same subject type is used multiple types in a relation, relationships exist for both subject types and an arrow is used over the relation.

Impact

Any user making a negative authorization decision based on the results of a LookupSubjects request with version before v1.30.1 is affected.

Workarounds

Avoid using LookupSubjects for negative authorization decisions and/or avoid using the broken schema.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-32001

CVE-2024-32001:

2.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/authzed/spicedb	go	< 1.30.1	1.30.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of subject set merging in SubjectByTypeSet.Map. The pre-patch code directly assigned subjectset to mapped.byType[key] without checking for existing entries (CWE-755). The fix introduced cloning and unioning of existing sets when a key collision occurred. The added test TestSubjectSetMapOverSameSubjectDifferentRelation explicitly verifies this merging behavior, confirming this was the failure point. The vulnerability manifests specifically when mapping multiple relations of the same subject type through an arrow (->) operator, matching the described attack scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

2.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-32001: SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Background

Impact

Workarounds

CVE-2024-32001:

2.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

2.2

2.2

Technical Details

CVE-2024-32001: SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Background

Impact

Workarounds

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

2.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-32001: SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Background

Impact

Workarounds

CVE-2024-32001:

2.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

2.2

2.2

Technical Details

CVE-2024-32001: SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used

Background

Impact

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI