GHSA-x5fr-7hhj-34j3: Full Table Permissions by Default

December 15, 2023

Default table permissions in SurrealDB were FULL instead of NONE. This would lead to tables having FULL permissions for SELECT, CREATE, UPDATE and DELETE unless some other permissions were specified via the PERMISSIONS clause.

We have decided to treat this behaviour as a vulnerability due to its security implications, especially considering the lack of specific documentation and potential for confusion due to the INFO FOR DB statement previously not displaying default permissions. Treating it as a bug fix provides justification for a change in default behavior outside of a major release.

References

github.com/advisories/GHSA-x5fr-7hhj-34j3
github.com/surrealdb/surrealdb
github.com/surrealdb/surrealdb/security/advisories/GHSA-x5fr-7hhj-34j3

Code Behaviors & Features

Detect and mitigate GHSA-x5fr-7hhj-34j3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →