Integer Overflow in Chunking Helper Causes Dispatching Issues
CVE-2024-27101

7.3HIGH

Key Information:

Vendor: Authzed
Status: Spicedb
Vendor: CVE Published:; 1 March 2024

What is CVE-2024-27101?

SpiceDB, a database inspired by Google Zanzibar, is designed for managing security-critical application permissions. This vulnerability is triggered by an integer overflow occurring in the chunking helper, which may cause permission dispatching errors or system panic. The vulnerability impacts any SpiceDB cluster that utilizes a schema where a resource has more than 65,535 relationships for the same resource and subject type. The affected API methods include CheckPermission, BulkCheckPermission, and LookupSubjects. Users are urged to upgrade to version 1.29.2 or later to mitigate this issue.

Affected Version(s)

spicedb < 1.29.2

References

https://github.com/authzed/spicedb/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/authzed/spicedb/commit/ef443c442b96909...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 1, 2024
Vulnerability Reserved
Feb 19, 2024

CVE-2024-27101 Data

JSON

Authzed

What is CVE-2024-27101?

Affected Version(s)

References

CVSS V3.1

Timeline