CVE-2024-58367
SurrealDB · surrealdb
SurrealDB contains an improper authorization vulnerability that allows authenticated users with low privileges to access sensitive data through improper select permissions.
Executive summary
An improper authorization vulnerability in SurrealDB versions prior to 2.0.4 allows authenticated users to potentially access unauthorized data.
Vulnerability
The software suffers from an improper authorization flaw (CWE-285), which can be exploited by an authenticated attacker to perform unauthorized data selection operations. The attack vector is network-based and requires low-level privileges.
Business impact
Exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive information stored within the SurrealDB instance. With a CVSS score of 7.1, this flaw presents a high risk to data confidentiality, potentially impacting compliance and internal data security policies.
Remediation
Immediate Action: Update the SurrealDB package to version 2.0.4 or later to resolve the authorization logic flaw.
Proactive Monitoring: Review database access logs for unusual query patterns or unauthorized attempts to access tables or records outside of a user's typical scope.
Compensating Controls: Implement strict Role-Based Access Control (RBAC) and follow the principle of least privilege to limit the impact of potential authorization bypasses.
Exploitation status
Public Exploit Available: No (exploit_available: unknown)
Analyst recommendation
Administrators should treat this vulnerability with high priority by scheduling an update to version 2.0.4 at the earliest opportunity. Ensuring that the database engine is patched is the most effective way to eliminate the risk of unauthorized data access.