Uncaught Exception Affecting surrealdb-core package, versions <2.1.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-SURREALDBCORE-8400845
- published24 Nov 2024
- disclosed22 Nov 2024
- creditGary Hai
Introduced: 22 Nov 2024
New CVE NOT AVAILABLE CWE-248 (opens in a new tab)How to fix?
Upgrade surrealdb-core to version 2.1.0 or higher.
Overview
Affected versions of this package are vulnerable to Uncaught Exception which allows a privileged user with the owner role to define a user via DEFINE USER with an nonexistent role, which would panic when being converted to a Role enum in order to perform certain IAM operations with that user.
##Workaround
Affected users who are unable to update to the fixed version are advised to limit access to users with the owner role at any level to trusted parties only.
Additionally, SurrealDB administrators are advised to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.