SCA: security update for github.com/authzed/spicedb (GHSA-cjr9-mr35-7xh6)

high Tenable Self-Hosted Container Security Plugin ID 413952

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-
critical application permissions. The `spicedb serve` command contains a flag named `--grpc-preshared-key`
which is used to protect the gRPC API from being accessed by unauthorized requests. The values of this
flag are to be considered sensitive, secret data. The `/debug/pprof/cmdline` endpoint served by the
metrics service (defaulting running on port `9090`) reveals the command-line flags provided for debugging
purposes. If a password is set via the `--grpc-preshared-key` then the key is revealed by this endpoint
along with any other flags provided to the SpiceDB binary. This issue has been fixed in version 1.19.1.
### Impact All deployments abiding by the recommended best practices for production usage are **NOT
affected**: - Authzed's SpiceDB Serverless - Authzed's SpiceDB Dedicated - SpiceDB Operator Users
configuring SpiceDB via environment variables are **NOT affected**. Users **MAY be affected** if they
expose their metrics port to an untrusted network and are configuring `--grpc-preshared-key` via command-
line flag. ### Patches TODO ### Workarounds To workaround this issue you can do one of the following: -
Configure the preshared key via an environment variable (e.g. `SPICEDB_GRPC_PRESHARED_KEY=yoursecret
spicedb serve`) - Reconfigure the `--metrics-addr` flag to bind to a trusted network (e.g. `--metrics-
addr=localhost:9090`) - Disable the metrics service via the flag (e.g. `--metrics-enabled=false`) - Adopt
one of the recommended deployment models: [Authzed's managed services](https://authzed.com/pricing) or the
[SpiceDB Operator](https://github.com/authzed/spicedb-operator) ### References - [GitHub Security Advisory
issued for SpiceDB](https://github.com/authzed/spicedb/security/advisories/GHSA-cjr9-mr35-7xh6) - [Go
issue #22085](https://github.com/golang/go/issues/22085) for documenting the risks of exposing pprof to
the internet - [Go issue #42834](https://github.com/golang/go/issues/42834) discusses preventing pprof
registration to the default serve mux - [semgrep rule go.lang.security.audit.net.pprof.pprof-debug-
exposure](https://semgrep.dev/r?q=go.lang.security.audit.net.pprof) checks for a variation of this issue
### Credit We'd like to thank Amit Laish, a security researcher at GE Vernova for responsibly disclosing
this vulnerability. (CVE-2023-29193)

See Also

https://github.com/advisories/GHSA-cjr9-mr35-7xh6

Plugin Details

Severity: High

ID: 413952

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-29193

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/13/2023

Vulnerability Publication Date: 4/13/2023

Reference Information

CVE: CVE-2023-29193

cwe: CWE-209