logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-9722-9j67-vjcr surrealdb-core

Package

Manager: cargo
Name: surrealdb-core
Vulnerable Version: >=0 <2.0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Improper Authorization in Select Permissions Due to the order in which permissions were processed, some statements, filters and computations could lead to leaking field values or record contents to users without the required permissions. This behavior could be triggered in different scenarios: - When performing a `SELECT` operation on a table, the values that would be returned were iterated over, field permissions would be validated and any unauthorized value would be removed from the result returned. However, performing a `SELECT VALUE` operation (e.g. `SELECT VALUE private FROM data`) would result in a non-iterable value, which would not be removed from the returned result. - When aliasing a field (e.g. `SELECT private AS public FROM data`) for which the user did not have `SELECT` permissions within a `SELECT` query, permissions would be checked against the field of the resulting document containing the aliased field instead of the original document containing the original field. As a consequence, the original field value would be returned as the returned field would not match the original field where permissions had been defined. - When calling a function in the context of a `SELECT` query and passing a field with permissions as an argument to the function (e.g. `SELECT string::lowercase(private) FROM data`), the function would receive the field value before it had been removed from the document due to `SELECT` permissions. As a result, the function would have access to the value of the field regardless of field permissions. This case includes functions called from within events and other clauses that support function calling. - When executing a query containing a `WHERE` clause filtering records by a field that the querying user does not have access to `SELECT` (e.g. `SELECT public FROM data WHERE private ~ "secret"`), the response of that query would still take the value of the field into account. Even though the value of the protected field would not be returned, this behavior could be used as a side channel by the querying user to infer information about the value of the field. - When performing `UPDATE` or `DELETE` operations over a table with a user that had those permissions but no `SELECT` permission, the `RETURN BEFORE` clause could be used (e.g. `DELETE data RETURN BEFORE`) to read the contents of the records prior to the authorized update or the deletion despite the querying user not being authorized to perform `SELECT` operations. - When performing `UPDATE` operations on a table for which the user had `SELECT` and `UPDATE` permissions, the `SET` clause could reference fields that the user had `UPDATE` but no `SELECT` permission for (e.g. `UPDATE data SET public = private`) in order to update the value of a field that the user had permission to `SELECT` to the value of another field for which the user did not. ### Impact Clients that were authorized by table permissions to execute `SELECT` statements for a table but were not authorized by field permissions to run `SELECT` queries for a specific field could still have been able to gain knowledge of the value of that field. Additionally, clients that were authorized to execute `UPDATE` or `DELETE` statements for a table but not authorized to execute `SELECT` statements for the same table may have been able to gain knowledge of the contents of records in that table. This could only be exploited by users who were already authorized to execute queries on the database with the affected table or field. Due to its relationship with table and field permissions, which apply mainly to record users rather than system users, this issue mostly affects users relying on SurrealDB as a backend-as-a-service rather than SurrealDB as a traditional database backend. ### Patches The behavior when evaluating table or field permissions and filtering records or fields as a result of those evaluations has been improved to consider permissions before any changes to the document have been made and, when relevant, permissions after changes to the document have taken place. When a user is unauthorized to view record contents and field values by permissions, the returned documents will behave as if the record or field did not exist in order to prevent leaking any information. - Version 2.0.4 and later are not affected by this issue. ### Workarounds Users affected by this issue and unable to update should not rely on the authorization provided by field permissions when it comes to the `SELECT` permission. Instead, read access to fields in affected versions should be restricted at the table level. When allowing the `UPDATE` or `DELETE` operations for records via table permissions, users should not rely of the authorization provided by the `SELECT` permission. Instead, users should not allow clients to `UPDATE` or `DELETE` records that they should not be able to view.

Metadata

Created: 2024-10-08T22:21:09Z
Modified: 2024-10-08T22:21:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-9722-9j67-vjcr/GHSA-9722-9j67-vjcr.json
CWE IDs: ["CWE-285"]
Alternative ID: N/A
Finding: F039
Auto approve: 1