Skip to content

Uncaught Exception Handling Parsing Errors on Line Terminators

Moderate severity GitHub Reviewed Published Feb 19, 2024 in surrealdb/surrealdb • Updated Feb 21, 2024

Package

cargo surrealdb (Rust)

Affected versions

<= 1.2.0

Patched versions

1.2.1

Description

The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.

Impact

A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.

Patches

  • Version 1.2.1 and later are not affected by this issue.

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

References

@gguillemas gguillemas published to surrealdb/surrealdb Feb 19, 2024
Published to the GitHub Advisory Database Feb 21, 2024
Reviewed Feb 21, 2024
Last updated Feb 21, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8xff-473h-f863

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.