GHSA-64f8-pjgr-9wmr: Untrusted Query Object Evaluation in RPC API
During the sign in and sign up operations through the SurrealDB RPC API, an arbitrary object would be accepted in order to support a wide array of types and structures that could contain user credentials. This arbitrary object could potentially contain any SurrealDB value, including an object representing a subquery. For this to materialize, this object would need to be encoded using the bincode serialization format instead of the default JSON serialization format or the additionally supported CBOR serialization format.
If a binary object containing a subquery were to be provided in this way, that subquery would be computed while executing the SIGNIN and SIGNUP queries defined by the database owner while defining a record access method. Since those queries are executed under a system user session with the editor role, an unauthenticated attacker may be able to leverage this behavior to select, create, update and delete non-IAM resources with permissions of a system user with the editor role.
References
- github.com/advisories/GHSA-64f8-pjgr-9wmr
- github.com/surrealdb/surrealdb
- github.com/surrealdb/surrealdb/commit/b7583a653a2c495a60630dffd663f506426db330
- github.com/surrealdb/surrealdb/commit/eab7ef5354168d4039f7f7b77042c99a52f770a6
- github.com/surrealdb/surrealdb/security/advisories/GHSA-64f8-pjgr-9wmr
- surrealdb.com/docs/surrealdb/integration/rpc
- surrealdb.com/docs/surrealdb/integration/rpc
- surrealdb.com/docs/surrealdb/security/authentication
Code Behaviors & Features
Detect and mitigate GHSA-64f8-pjgr-9wmr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →