Format String Vulnerability in SurrealDB Affecting Scripting Functions
CVE-2024-58366
9CRITICAL
What is CVE-2024-58366?
SurrealDB prior to version 1.1.1 is susceptible to a critical format string vulnerability that emerges within the Exception::throw_type method when scripting features are activated. This flaw enables attackers who have acquired scripting privileges to inject malicious format strings into error messages, leading to the potential disclosure of sensitive information through arbitrary memory access or even the execution of arbitrary code under the privileges of the SurrealDB process, thereby compromising the security of the application and its data.
Affected Version(s)
surrealdb 0 < 1.1.1
surrealdb 0 < 0.4.2
surrealdb 1.1.1
