CVE-2023-54366

SurrealDB · SurrealDB

SurrealDB versions prior to 1.0.1 contain a vulnerability related to incorrect default permissions, which may allow unauthorized data access or modification.

Executive summary

An incorrect default permissions vulnerability in SurrealDB versions before 1.0.1 poses a high risk of unauthorized data exposure or manipulation by authenticated users.

Vulnerability

This vulnerability involves incorrect default permissions (CWE-276), which can be exploited by an authenticated user to perform actions outside of their intended scope.

Business impact

The ability to bypass intended permission structures can lead to unauthorized access to sensitive database content or data modification. With a CVSS score of 8.8, this flaw represents a significant risk to data confidentiality and integrity, potentially impacting business operations and compliance requirements.

Remediation

Immediate Action: Update the SurrealDB package to version 1.0.1 or later to remediate the insecure default settings.

Proactive Monitoring: Audit database access logs and user permissions to detect any unauthorized attempts to access tables or records outside of standard user roles.

Compensating Controls: Implement the principle of least privilege by explicitly defining database roles and permissions rather than relying on default configurations.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Security teams should treat this vulnerability with high urgency. Upgrading to SurrealDB 1.0.1 is the primary defense against this permission-based flaw, and administrators should verify that all custom permission settings are correctly applied following the update.