Incorrect Permission Assignment for Critical Resource Affecting surrealdb-core package, versions >=2.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-SURREALDBCORE-8516314
- published17 Dec 2024
- disclosed16 Dec 2024
- creditAlbert Marashi
Introduced: 16 Dec 2024
New CVE NOT AVAILABLE CWE-732 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the OVERWRITE clause in the DEFINE TABLE statement failing to properly overwrite data for tables defined with TYPE RELATION. An attacker can maintain unauthorized access to certain data by exploiting the unchanged permissions.
Note:
This is only exploitable if the table is defined with TYPE RELATION and the OVERWRITE clause is used to update permissions.
Workaround
This vulnerability can be mitigated by verifying that the intended permissions are in place using the INFO FOR DB statement. Affected users who are unable to update and require updating permissions in a table with TYPE RELATION will be required to remove the table and define it from scratch with the intended permissions. Data can be preserved by backing it up to a temporary table.