logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-27vq-hv74-7cqp surrealdb

Package

Manager: cargo
Name: surrealdb
Vulnerable Version: >=2.0.0 <2.1.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type The `OVERWRITE` clause of the `DEFINE TABLE` statement would fail to overwrite data for tables that were defined with `TYPE RELATION`. Since table definitions include the `PERMISSIONS` clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not. ### Impact If a user attempted to update table permissions of a table defined with `TYPE RELATION` using `DEFINE TABLE ... OVERWRITE`, permissions for the table would not be changed. This may allow a client that is authorized to run queries in a SurrealDB server to access certain data in that specific table that they were not intended to be able to access after the specified change in permissions. ### Patches The `DEFINE TABLE` statement has been updated to appropriately overwrite data for tables defined with `TYPE RELATION`. - Version 2.1.4 and later are not affected by this issue. ### Workarounds Users of tables with `TYPE RELATION` that may have been modified using the `OVERWRITE` clause in order to update permissions are advised to verify that the intended permissions are in place using the `INFO FOR DB` statement. Affected users who are unable to update and require updating permissions in a table with `TYPE RELATION` will be required to remove the table and define it from scratch with the intended permissions. Data can be preserved by backing it up to a temporary table. ### References - #5260

Metadata

Created: 2024-12-16T17:38:53Z
Modified: 2024-12-18T17:18:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27vq-hv74-7cqp/GHSA-27vq-hv74-7cqp.json
CWE IDs: ["CWE-732"]
Alternative ID: N/A
Finding: F159
Auto approve: 1