GHSA-8xff-473h-f863

Suggest an improvement
Source
https://github.com/advisories/GHSA-8xff-473h-f863
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-8xff-473h-f863/GHSA-8xff-473h-f863.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8xff-473h-f863
Published
2024-02-21T00:00:54Z
Modified
2024-02-21T00:00:54Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Uncaught Exception Handling Parsing Errors on Line Terminators
Details

The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.

Impact

A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.

Patches

  • Version 1.2.1 and later are not affected by this issue.

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • #3527
  • https://github.com/StarlaneStudios/Surrealist/issues/177
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-248"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T00:00:54Z"
}
References

Affected packages

crates.io / surrealdb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.1

Database specific

{
    "last_known_affected_version_range": "<= 1.2.0"
}