CVE-2024-48909
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-48909
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48909.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-48909
- Aliases
- Downstream
- Related
- Published
- 2024-10-14T20:22:17Z
- Modified
- 2025-10-20T20:28:33.350488Z
- Severity
-
- 2.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not
- Details
-
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled
LookupResources2and have caveats in the evaluation path for their requests can return a permissionship ofCONDITIONALwith context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the--enable-experimental-lookup-resourcesflag by setting it tofalse. - Database specific
{ "cwe_ids": [ "CWE-172" ] }- References