Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNTJ2LTI0cDgtNjU0Zs4ABBnj

SurrealDB has an Uncaught Exception Sorting Tables by Random Order

Sorting table records using an ORDER BY clause with the rand() function as sorting mechanism could cause a panic due to relying on a comparison function that did not implement total order. This event resulted in a panic due to a recent change in Rust 1.81.

Impact

A client that is authorized to run queries in a SurrealDB server would be able to query a table with ORDER BY rand() in order to potentially cause a panic in the sorting function. This would crash the server, leading to denial of service.

Patches

The sorting algorithm has been updated to guarantee total order when shuffling records.

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

Permalink: https://github.com/advisories/GHSA-m52v-24p8-654f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNTJ2LTI0cDgtNjU0Zs4ABBnj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 18 days ago
Updated: 18 days ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-m52v-24p8-654f
References: Repository: https://github.com/surrealdb/surrealdb
Blast Radius: 14.3

Affected Packages

cargo:surrealdb-core
Dependent packages: 4
Dependent repositories: 0
Downloads: 181,339 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
All unaffected versions: 2.1.0, 2.1.1, 2.1.2
cargo:surrealdb
Dependent packages: 42
Dependent repositories: 158
Downloads: 244,676 total
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4
All unaffected versions: 2.1.0, 2.1.1, 2.1.2