CVE-2023-29193: 
NixOS vulnerability analysis and mitigation

SpiceDB, an open source Google Zanzibar-inspired database system for managing security-critical application permissions, was found to have a vulnerability identified as CVE-2023-29193. The vulnerability was discovered in the spicedb serve command's handling of the --grpc-preshared-key flag, which is used to protect the gRPC API from unauthorized access. The issue was fixed in version 1.19.1 (SpiceDB Release).

The vulnerability stems from the /debug/pprof/cmdline endpoint served by the metrics service (defaulting to port 9090) which reveals command-line flags provided for debugging purposes. When a password is set via the --grpc-preshared-key flag, the key is exposed through this endpoint along with other flags provided to the SpiceDB binary. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD Database).

The vulnerability primarily affects deployments that expose their metrics port to untrusted networks while configuring the --grpc-preshared-key via command-line flag. However, deployments following recommended best practices for production usage, including Authzed's SpiceDB Serverless, SpiceDB Dedicated, and SpiceDB Operator, are not affected. Additionally, users configuring SpiceDB via environment variables are not impacted (GitHub Advisory).

Several workarounds are available: configure the preshared key via an environment variable (e.g., SPICEDB_GRPC_PRESHARED_KEY=yoursecret spicedb serve), reconfigure the --metrics-addr flag to bind to a trusted network (e.g., --metrics-addr=localhost:9090), disable the metrics service via the flag (e.g., --metrics-enabled=false), or adopt one of the recommended deployment models such as Authzed's managed services or the SpiceDB Operator. The vulnerability has been patched in version 1.19.1 (GitHub Advisory).