RPC API Vulnerability in SurrealDB Affects User Authentication Processes
CVE-2024-58362
What is CVE-2024-58362?
SurrealDB versions prior to 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 are susceptible to a query injection vulnerability. The issue arises from the RPC API's acceptance of arbitrary objects during the signin and signup processes without thorough validation of non-computed values. This flaw permits an unauthorized attacker to craft a binary object embedded with a subquery using the bincode serialization format. When this object is submitted in place of user credentials during the authentication process, it is executed under the permissions of a system user session with the editor role. Consequently, the attacker attains the ability to manipulate non-IAM resources, enabling actions such as selection, creation, updating, and deletion of these resources, while IAM resources remain unaffected. This significant security gap underscores the need for immediate remediation and enhanced validation mechanisms within the authentication workflows.
Affected Version(s)
surrealdb 0 < 1.5.5, 2.0.0-beta.3
surrealdb 0 < 1.5.2
surrealdb 1.5.5, 2.0.0-beta.3
