CVE-2024-58362
SurrealDB · SurrealDB
SurrealDB is vulnerable to a query injection attack via the RPC API, allowing authenticated users to execute unauthorized commands.
Executive summary
A query injection vulnerability in the SurrealDB RPC API allows authenticated users to execute unauthorized commands, presenting a high risk to database integrity.
Vulnerability
This is a failure to sanitize special elements (CWE-75), which leads to a query injection vulnerability. An authenticated user can leverage the RPC API to inject malicious queries into the database engine.
Business impact
Successful exploitation allows an attacker to manipulate database queries, potentially leading to unauthorized data extraction, modification, or destruction. Given the CVSS score of 8.8, this vulnerability poses a severe threat to the business, as it directly undermines the core security of the database management system.
Remediation
Immediate Action: Update to SurrealDB 1.5.5 or 2.0.0-beta.3, and ensure surrealdb-core is updated to at least 1.5.2.
Proactive Monitoring: Review RPC API request logs for patterns indicative of injection attempts, such as unusual character sequences or unexpected query structures.
Compensating Controls: Utilize network-level access controls to restrict access to the RPC API to authorized application servers only, reducing the likelihood of malicious user interaction.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
Given the potential for complete database compromise via query injection, immediate patching is mandatory. Administrators must ensure all components, including core dependencies, are updated to the specified non-vulnerable versions to mitigate this critical risk.