SurrealDB
- < 2.2.2
- < 2.1.5
A local file read vulnerability has been identified in SurrealDB versions prior to 2.2.2. This issue allows authenticated users with root, namespace, or database level privileges to use the DEFINE ANALYZER statement to access arbitrary files on the file system. The vulnerability specifically targets two-column tab-separated values (TSV) files, which can be read and exfiltrated by the attacker.
Exploitation of this vulnerability could lead to unauthorized access to sensitive information contained in two-column TSV files on the file system.
Users can update to SurrealDB versions 2.2.2 or 2.1.5 to address this vulnerability. For those unable to update, it is recommended to restrict access for users with root, namespace, or database level privileges to trusted individuals only.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.