GHSA-M52V-24P8-654F

Vulnerability from github – Published: 2024-11-22 20:11 – Updated: 2024-11-22 20:11
VLAI
Summary
SurrealDB has an Uncaught Exception Sorting Tables by Random Order
Details

Sorting table records using an ORDER BY clause with the rand() function as sorting mechanism could cause a panic due to relying on a comparison function that did not implement total order. This event resulted in a panic due to a recent change in Rust 1.81.

Impact

A client that is authorized to run queries in a SurrealDB server would be able to query a table with ORDER BY rand() in order to potentially cause a panic in the sorting function. This would crash the server, leading to denial of service.

Patches

The sorting algorithm has been updated to guarantee total order when shuffling records.

  • Version 2.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • https://github.com/surrealdb/surrealdb/issues/4969
  • https://github.com/surrealdb/surrealdb/pull/4989
  • https://github.com/surrealdb/surrealdb/pull/4805
  • https://github.com/surrealdb/surrealdb/pull/4906
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-22T20:11:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Sorting table records using an `ORDER BY` clause with the `rand()` function as sorting mechanism could cause a panic due to relying on a comparison function that did not implement total order. This event resulted in a panic due to a recent [change in Rust 1.81](https://blog.rust-lang.org/2024/09/05/Rust-1.81.0.html#new-sort-implementations).\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server would be able to query a table with `ORDER BY rand()` in order to potentially cause a panic in the sorting function. This would crash the server, leading to denial of service.\n\n### Patches\n\nThe sorting algorithm has been updated to guarantee total order when shuffling records.\n\n- Version 2.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- https://github.com/surrealdb/surrealdb/issues/4969\n- https://github.com/surrealdb/surrealdb/pull/4989\n- https://github.com/surrealdb/surrealdb/pull/4805\n- https://github.com/surrealdb/surrealdb/pull/4906",
  "id": "GHSA-m52v-24p8-654f",
  "modified": "2024-11-22T20:11:48Z",
  "published": "2024-11-22T20:11:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m52v-24p8-654f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/issues/4969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/4805"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/4906"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/4989"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has an Uncaught Exception Sorting Tables by Random Order"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…