Headline
GHSA-jg7w-cxjv-98c2: `SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed in github.com/authzed/spicedb
When the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs.
Example output:
terminated with errors error="unable to create migration driver for postgres: parse \"postgres://spicedb:<PASSWORD IN PLAINTEXT>": invalid port \"<PASSWORD IN PLAINTEXT>\" after host"
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-46255
`SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed in github.com/authzed/spicedb
Moderate severity GitHub Reviewed Published Oct 30, 2023 in authzed/spicedb • Updated Oct 31, 2023
Package
gomod github.com/authzed/spicedb (Go)
Affected versions
< 1.27.0
When the provided datastore URI is malformed (e.g. by having a password which contains :) the full URI (including the provided password) is printed, so that the password is shown in the logs.
Example output:
terminated with errors error="unable to create migration driver for postgres: parse \"postgres://spicedb:<PASSWORD IN PLAINTEXT>": invalid port \"<PASSWORD IN PLAINTEXT>\" after host"
References
- GHSA-jg7w-cxjv-98c2
- https://nvd.nist.gov/vuln/detail/CVE-2023-46255
- authzed/spicedb@ae50421
Published to the GitHub Advisory Database
Oct 31, 2023
Last updated
Oct 31, 2023
Related news
SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0 patches this issue.