GSA_kwCzR0hTQS04eGZmLTQ3M2gtZjg2M84AA5Zs

Moderate

Permalink JSON

Uncaught Exception Handling Parsing Errors on Line Terminators

Affected Packages	Affected Versions	Fixed Versions
cargo:surrealdb PURL: `pkg:cargo/surrealdb`	<= 1.2.0	1.2.1
42 Dependent packages 158 Dependent repositories 460,888 Downloads total Affected Version Ranges All affected versions 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0 All unaffected versions 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7

The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.

Impact

A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.

Patches

Version 1.2.1 and later are not affected by this issue.

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS04eGZmLTQ3M2gtZjg2M84AA5Zs

Uncaught Exception Handling Parsing Errors on Line Terminators

Affected Version Ranges

All affected versions

All unaffected versions

Impact

Patches

Workarounds

References

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API