CVE-2023-46255 - Vulnerability Details - OpenCVE

SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00158.

Key SSVC decision points have not yet been added.

Vendors	Products
Authzed	Spicedb

Configuration 1 [-]

cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2760	SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.
Github GHSA	GHSA-jg7w-cxjv-98c2	SpiceDB leaks information in log files when URI cannot be parsed

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8
https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-31T15:25:24.933Z

Updated: 2024-09-05T20:16:15.166Z

Reserved: 2023-10-19T20:34:00.949Z

Link: CVE-2023-46255

Vulnrichment

Updated: 2024-08-02T20:37:40.152Z

NVD

Status : Modified

Published: 2023-10-31T16:15:10.007

Modified: 2024-11-21T08:28:10.890

Link: CVE-2023-46255

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46255", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-19T20:34:00.949Z", "datePublished": "2023-10-31T15:25:24.933Z", "dateUpdated": "2024-09-05T20:16:15.166Z"}, "containers": {"cna": {"title": "`SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"}, {"name": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8", "tags": ["x_refsource_MISC"], "url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"version": "< 1.27.0-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-02T16:20:18.948Z"}, "descriptions": [{"lang": "en", "value": "SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue."}], "source": {"advisory": "GHSA-jg7w-cxjv-98c2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.152Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"}, {"name": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T20:15:56.911924Z", "id": "CVE-2023-46255", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T20:16:15.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2", "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8", "name": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.152Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T20:15:56.911924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T20:16:10.379Z"}}], "cna": {"title": "`SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed", "source": {"advisory": "GHSA-jg7w-cxjv-98c2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "authzed", "product": "spicedb", "versions": [{"status": "affected", "version": "< 1.27.0-rc1"}]}], "references": [{"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2", "name": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8", "name": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-02T16:20:18.948Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46255", "state": "PUBLISHED", "dateUpdated": "2024-09-05T20:16:15.166Z", "dateReserved": "2023-10-19T20:34:00.949Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-31T15:25:24.933Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:*", "matchCriteriaId": "1339CD3F-78E6-4CCC-B453-9ED4AC5C8F6E", "versionEndExcluding": "1.27.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue."}, {"lang": "es", "value": "SpiceDB es una base de datos de c\u00f3digo abierto inspirada en Google Zanz\u00edbar para crear y administrar permisos de aplicaciones cr\u00edticas para la seguridad. Antes de la versi\u00f3n 1.27.0-rc1, cuando el URI del almac\u00e9n de datos proporcionado tiene un formato incorrecto (por ejemplo, al tener una contrase\u00f1a que contiene `:`), se imprime el URI completo (incluida la contrase\u00f1a proporcionada), de modo que la contrase\u00f1a se muestra en los registros. La versi\u00f3n 1.27.0-rc1 soluciona este problema."}], "id": "CVE-2023-46255", "lastModified": "2024-11-21T08:28:10.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-31T16:15:10.007", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}