SpiceDB binding metrics port to untrusted networks and can leak command-line flags
CVE-2023-29193

8.7HIGH

Key Information:

Vendor

Authzed

Status
Spicedb
Vendor
CVE Published:
14 April 2023

What is CVE-2023-29193?

SpiceDB, an open-source database system for managing security-critical application permissions, has a vulnerability that allows sensitive data exposure through the --grpc-preshared-key command-line flag. The /debug/pprof/cmdline endpoint, which normally serves for debugging, unintentionally reveals this sensitive key and other command-line flags when accessed. This issue could potentially affect users who expose their metrics service to untrusted networks while configuring the preshared key via command-line flags. It is essential for users to adopt recommended configurations, such as utilizing environment variables for sensitive keys or modifying the metrics service address to trusted networks to mitigate this risk. The vulnerability has been addressed in version 1.19.1 and users are encouraged to upgrade.

Affected Version(s)

spicedb < 1.19.1

References

https://github.com/authzed/spicedb/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authzed/spicedb/commit/9bbd7d76b6eaba3...
x_refsource_MISC
https://github.com/authzed/spicedb/releases/tag/v1.19.1
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.