3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-38361

CVE-2024-38361: SpiceDB exclusions can result in no permission returned when permission expected

Background

Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected.

For example, given this schema:

definition user {}

definition folder {
  relation member: user
  relation banned: user
  permission view = member - banned
}

definition resource {
  relation folder: folder
  permission view = folder->view
}

If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned

Impact

Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.

Workarounds

None

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-38361

CVE-2024-38361:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/authzed/spicedb	go	< 1.33.1	1.33.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how exclusion operations were dispatched in the difference function. The original code passed the current request context (crc) directly to the handler, which might have used a results setting that allowed early termination (e.g., ALLOW_SINGLE_RESULT). The fix explicitly sets resultsSetting to REQUIRE_ALL_RESULTS for the first branch, ensuring all potential permission paths are evaluated. This matches the described failure scenario where not all folders were checked when processing exclusions, and aligns with the CWE-281 classification of improper permission preservation. The test cases added in check_test.go specifically validate this scenario, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-38361: SpiceDB exclusions can result in no permission returned when permission expected

Background

Impact

Workarounds

CVE-2024-38361:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2024-38361: SpiceDB exclusions can result in no permission returned when permission expected

Background

Impact

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.7

3.7

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI