SurrealDB
- < 2.0.4
A vulnerability exists in SurrealDB versions prior to 2.0.4, where the database fails to properly enforce field permissions during SELECT, UPDATE, and DELETE operations. This oversight allows authorized users to access unauthorized field values through various query techniques. Exploitation can occur via SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references, enabling the leakage of protected field contents despite the absence of SELECT permissions.
Exploitation of this vulnerability could lead to unauthorized access to field values, allowing users to gain knowledge of protected information they should not have access to. This issue primarily affects users relying on SurrealDB as a backend-as-a-service, rather than as a traditional database backend.
To reproduce this vulnerability, a user must perform SELECT, UPDATE, or DELETE operations on a table where they have been granted those permissions at the table level, but lack the corresponding SELECT permissions for specific fields. The vulnerability can be triggered by selecting values from unauthorized fields, aliasing fields to bypass permission checks, using functions that access field values before permission filters are applied, or exploiting UPDATE and DELETE operations with RETURN BEFORE clauses to read protected field contents.
Users should update SurrealDB to version 2.0.4 or later, where this vulnerability has been patched. For those unable to update, it is recommended to restrict read access to fields at the table level and to carefully manage UPDATE and DELETE permissions to avoid unauthorized access to record contents.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.