How severe is CVE-2023-35930?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2023-35930?

This is classified as CWE-913, which is a common weakness in software security.

CVE-2023-35930 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example, using `LookupResources` to find a list of resources to allow access to be okay: some subjects that should have access to a resource may not. But if using `LookupResources` to find a list of banned resources instead, then some users that shouldn't have access may. Generally, `LookupResources` is not and should not be to gate access in this way - that's what the `Check` API is for. Additionally, version 1.22.0 has included a warning about this bug since its initial release. Users are advised to upgrade to version 1.22.2. Users unable to upgrade should avoid using `LookupResources` for negative authorization decisions.

Related Vulnerabilities

CVE-2021-26276

MEDIUM

CVSS:5.3(Medium)

scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vu...

CWE-9132021

CVE-2022-25355

MEDIUM

CVSS:5.3(Medium)

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an...

CWE-9132022

CVE-2020-15372

MEDIUM

CVSS:5.5(Medium)

A vulnerability in the command-line interface in Brocade Fabric OS before Brocade Fabric OS v8.2.2a1, 8.2.2c, v7.4.2g, v8.2.0_CBN3, v8.2.1e, v8.1.2k, v9.0.0, could allow a local authenticated attacker...

CWE-9132020

CVE-2022-3225

MEDIUM

CVSS:5.7(Medium)

Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.

CWE-9132022

CVE-2020-4100

MEDIUM

CVSS:4.4(Medium)

"HCL Verse for Android was found to employ dynamic code loading. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application i...

CWE-9132020

CVE-2025-46675

MEDIUM

CVSS:4.2(Medium)

In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking.

CWE-9132025