CVE-2024-27101
Severity CVSS v4.0:
Pending analysis
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
01/03/2024
Last modified:
02/09/2025
Description
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Integer overflow in chunking helper causes dispatching to miss elements or panic. Any SpiceDB cluster with any schema where a resource being checked has more than 65535 relationships for the same resource and subject type is affected by this problem. The CheckPermission, BulkCheckPermission, and LookupSubjects API methods are affected. This vulnerability is fixed in 1.29.2.
Impact
Base Score 3.x
7.30
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:authzed:spicedb:*:*:*:*:*:*:*:* | 1.29.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe
- https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p
- https://github.com/authzed/spicedb/commit/ef443c442b96909694390324a99849b0407007fe
- https://github.com/authzed/spicedb/security/advisories/GHSA-h3m7-rqc4-7h9p