CVE-2023-46255

MEDIUM

SpiceDB <1.27.0-rc1 - Info Disclosure

Title source: llm

Description

SpiceDB is an open source, Google Zanzibar-inspired database for creating and managing security-critical application permissions. Prior to version 1.27.0-rc1, when the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Version 1.27.0-rc1 patches this issue.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/authzed/spicedb/security/advisories/GHSA-jg7w-cxjv-98c2

Patch x_refsource_misc

https://github.com/authzed/spicedb/commit/ae50421b80f895e4c98d999b18e06b6f1e6f1cf8

View Patch ZIP pw:eip

Scores

CVSS v3 4.2

EPSS 0.0016

EPSS Percentile 36.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

authzed/spicedb < 1.27.0

authzed/spicedb 0 - 1.27.0-rc1Go

Published Oct 31, 2023

Tracked Since Feb 18, 2026