SurrealDB
- <= 3.0.0-alpha.7
- < 2.3.6
- < 2.2.6
- < 2.1.8
A vulnerability exists in SurrealDB versions prior to 2.2.6, 2.3.6, 2.1.8, and 3.0.0-alpha.7 that allows authenticated users to bypass network access restrictions. The issue arises because the application fails to validate DNS-resolved hostnames against deny-net restrictions in its HTTP functions. This flaw enables access to restricted internal endpoints, potentially allowing the retrieval or alteration of sensitive information and credentials, depending on the deployment scenario.
Exploitation of this vulnerability can lead to unauthorized access to internal endpoints that are normally restricted, allowing for the retrieval or modification of sensitive information and credentials.
Users can update to SurrealDB versions 2.2.6, 2.3.6, or later. If using version 3.0.0-alpha, update to a stable release after 3.0.0-alpha.7. For additional guidance, consult the SurrealDB documentation on capabilities and network access.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.