GHSA-98fx-66cf-fc7c: SurrealDB: Scraping a TABLE with no available PERMISSIONS to current auth level
A vulnerability was discovered where the user-supplied WHERE clause in a SELECT statement is evaluated against the full record data before PERMISSIONS FOR SELECT WHERE determines whether the principal is authorised to access that record. A side-effecting expression in the WHERE clause can exfiltrate record contents before the permission check runs. The same ordering bug affects the SET, MERGE, CONTENT and PATCH clauses of update-variant statements (UPDATE, UPSERT-update, INSERT ON DUPLICATE KEY UPDATE, RELATE-update).
This vulnerability is confined to the attacker’s current database. It does not cross namespace or database isolation boundaries.
References
Code Behaviors & Features
Detect and mitigate GHSA-98fx-66cf-fc7c with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →