GHSA-3v2x-9xcv-2v2v: SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions
(updated )
Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or futures. Futures are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (closures) are executed under the privileges of the invoking user, not the creator.
This results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions.
References
- github.com/advisories/GHSA-3v2x-9xcv-2v2v
- github.com/surrealdb/surrealdb
- github.com/surrealdb/surrealdb/commit/f515c91363ee735aa1bc08580d9e7fa0de6e736f
- github.com/surrealdb/surrealdb/releases/tag/v2.5.0
- github.com/surrealdb/surrealdb/releases/tag/v3.0.0-beta.2
- github.com/surrealdb/surrealdb/security/advisories/GHSA-3v2x-9xcv-2v2v
Code Behaviors & Features
Detect and mitigate GHSA-3v2x-9xcv-2v2v with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →