Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04eGZmLTQ3M2gtZjg2M84AA5Zs

Uncaught Exception Handling Parsing Errors on Line Terminators

The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.

Impact

A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.

Patches

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

Permalink: https://github.com/advisories/GHSA-8xff-473h-f863
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04eGZmLTQ3M2gtZjg2M84AA5Zs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 10 months ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-8xff-473h-f863
References: Repository: https://github.com/surrealdb/surrealdb
Blast Radius: 14.3

Affected Packages

cargo:surrealdb
Dependent packages: 42
Dependent repositories: 158
Downloads: 256,478 total
Affected Version Ranges: <= 1.2.0
Fixed in: 1.2.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0
All unaffected versions: 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4