CVE-2024-46989: 
NixOS vulnerability analysis and mitigation

SpiceDB, an Open Source Google Zanzibar-inspired permissions database for enabling fine-grained authorization in customer applications, was found to have a vulnerability where multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. The vulnerability (CVE-2024-46989) was disclosed on September 18, 2024, and has been patched in version 1.35.3 (GitHub Advisory).

The vulnerability occurs when a resource has multiple groups and each group is caveated. In this scenario, the CheckPermission API incorrectly returns NO_PERMISSION when PERMISSION should be expected. The issue affects the permission evaluation logic when dealing with multiple caveated entries of the same indirect subject type. The vulnerability has been assigned a CVSS v3.1 score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility but high attack complexity (NVD).

When exploited, the vulnerability causes the system to incorrectly deny permissions that should be granted, potentially disrupting access control mechanisms in applications using SpiceDB. This could lead to legitimate users being unable to access resources they should have permission to access, affecting the system's integrity (GitHub Advisory).

The vulnerability has been patched in SpiceDB version 1.35.3. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, the recommended workaround is to either avoid using caveats entirely or avoid using caveats on an indirect subject type with multiple entries (GitHub Advisory).