Homepage
About Snyk

Incorrect Default Permissions Affecting surrealdb package, versions <1.0.1

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUST-SURREALDB-6129066
  • published 15 Dec 2023
  • disclosed 15 Dec 2023
  • credit LucyEgan
Report a new vulnerability Found a mistake?

Introduced: 15 Dec 2023

CVE NOT AVAILABLE CWE-276 Open this link in a new tab

How to fix?

Upgrade surrealdb to version 1.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Default Permissions due to the default configuration of table permissions. Any authorized client can create, read, update, and delete data in tables that were defined without explicit permissions and are within their authorization scope. This is particularly critical for instances allowing guest access with publicly exposed interfaces, as a remote unauthenticated user may gain full access to tables without explicit permissions.

Workaround

This vulnerability can be mitigated by explicitly defining table permissions using the PERMISSIONS clause in the table definition.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High