Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNTJ2LTI0cDgtNjU0Zs4ABBnj
SurrealDB has an Uncaught Exception Sorting Tables by Random Order
Sorting table records using an ORDER BY clause with the rand() function as sorting mechanism could cause a panic due to relying on a comparison function that did not implement total order. This event resulted in a panic due to a recent change in Rust 1.81.
Impact
A client that is authorized to run queries in a SurrealDB server would be able to query a table with ORDER BY rand() in order to potentially cause a panic in the sorting function. This would crash the server, leading to denial of service.
Patches
The sorting algorithm has been updated to guarantee total order when shuffling records.
- Version 2.1.0 and later are not affected by this issue.
Workarounds
Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
References
- https://github.com/surrealdb/surrealdb/issues/4969
- https://github.com/surrealdb/surrealdb/pull/4989
- https://github.com/surrealdb/surrealdb/pull/4805
- https://github.com/surrealdb/surrealdb/pull/4906
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNTJ2LTI0cDgtNjU0Zs4ABBnj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 days ago
Updated: 4 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-m52v-24p8-654f
References:
- https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m52v-24p8-654f
- https://github.com/surrealdb/surrealdb/issues/4969
- https://github.com/surrealdb/surrealdb/pull/4805
- https://github.com/surrealdb/surrealdb/pull/4906
- https://github.com/surrealdb/surrealdb/pull/4989
- https://github.com/advisories/GHSA-m52v-24p8-654f
Blast Radius: 14.3
Affected Packages
cargo:surrealdb-core
Dependent packages: 4Dependent repositories: 0
Downloads: 168,995 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
All unaffected versions: 2.1.0
cargo:surrealdb
Dependent packages: 42Dependent repositories: 158
Downloads: 233,404 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
All unaffected versions: 2.1.0