CVE-2024-58362

SurrealDB · SurrealDB

SurrealDB is vulnerable to a query injection attack via the RPC API, allowing authenticated users to execute unauthorized commands.

Executive summary

A query injection vulnerability in the SurrealDB RPC API allows authenticated users to execute unauthorized commands, presenting a high risk to database integrity.

Vulnerability

This is a failure to sanitize special elements (CWE-75), which leads to a query injection vulnerability. An authenticated user can leverage the RPC API to inject malicious queries into the database engine.

Business impact

Successful exploitation allows an attacker to manipulate database queries, potentially leading to unauthorized data extraction, modification, or destruction. Given the CVSS score of 8.8, this vulnerability poses a severe threat to the business, as it directly undermines the core security of the database management system.

Remediation

Immediate Action: Update to SurrealDB 1.5.5 or 2.0.0-beta.3, and ensure surrealdb-core is updated to at least 1.5.2.

Proactive Monitoring: Review RPC API request logs for patterns indicative of injection attempts, such as unusual character sequences or unexpected query structures.

Compensating Controls: Utilize network-level access controls to restrict access to the RPC API to authorized application servers only, reducing the likelihood of malicious user interaction.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Given the potential for complete database compromise via query injection, immediate patching is mandatory. Administrators must ensure all components, including core dependencies, are updated to the specified non-vulnerable versions to mitigate this critical risk.