CVE-2024-58366
SurrealDB · SurrealDB
SurrealDB is affected by a format string vulnerability that allows authenticated users to execute arbitrary code via scripting functions.
Executive summary
A high-severity format string vulnerability in SurrealDB allows authenticated attackers to execute arbitrary code, threatening complete system compromise.
Vulnerability
The software contains a format string vulnerability (CWE-134) in its scripting functions. This flaw requires that an attacker have low-level privileges to successfully interact with the vulnerable function.
Business impact
With a CVSS score of 8.5, this vulnerability represents a significant threat to organizational security. Successful exploitation grants an attacker the ability to execute code on the database server, which could lead to full database compromise, unauthorized data access, and potential lateral movement within the network.
Remediation
Immediate Action: Update SurrealDB to version 1.1.1 immediately to resolve the vulnerable scripting function implementation.
Proactive Monitoring: Audit database logs for unusual scripting activity or unexpected function calls that deviate from standard operational patterns.
Compensating Controls: Restrict access to database scripting features to only trusted and necessary service accounts, and ensure the database runs in a hardened, least-privilege environment.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this flaw demands immediate attention. Administrators must upgrade to the specified patch version to prevent potential remote code execution and maintain the security posture of their database infrastructure.