CVE-2024-48909

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0. The bug is patched as part of SpiceDB 1.37.1. As a workaround, disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false`.

SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not in github.com/authzed/spicedb

### Impact Clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a permissionship of `CONDITIONAL` with context marked as missing, even then the context was supplied. LookupResources2 is the new default in SpiceDB 1.37.0 and has been opt-in since SpiceDB 1.35.0 ### Patches The bug will be released as part of SpiceDB 1.37.1 ### Workarounds Disable LookupResources2 via the `--enable-experimental-lookup-resources` flag by setting it to `false` ``` --enable-experimental-lookup-resources=false ```

SpiceDB es una base de datos de código abierto para almacenar y consultar de forma escalable datos de autorización de grano fino. A partir de la versión 1.35.0 y antes de la versión 1.37.1, los clientes que han habilitado `LookupResources2` y tienen advertencias en la ruta de evaluación para sus solicitudes pueden devolver un permiso `CONDICIONAL` con el contexto marcado como faltante, incluso si se proporcionó el contexto. LookupResources2 es el nuevo valor predeterminado en SpiceDB 1.37.0 y ha sido opcional desde SpiceDB 1.35.0. El error se corrigió como parte de SpiceDB 1.37.1. Como workaround, deshabilite LookupResources2 a través del indicador `--enable-experimental-lookup-resources` estableciéndolo en `false`.