CVE-2024-58361
MEDIUM
6.5
CVSS 3.1
Description
SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error rendering, crashing the server.
Metadata
Severity & Metrics
6.5
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products (2)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| surrealdb | surrealdb | — | 2.0.0 < 2.0.4, 2.0.4 |
| surrealdb | surrealdb | — | 2.0.0 < 2.0.4, 2.0.4 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-248 | cna | Uncaught Exception |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.1 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 6.5 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (2)
- GitHub Security Advisory (GHSA-qjrv-v6qp-x99x) https://github.com/surrealdb/surrealdb/security/advisories/GHSA-qjrv-v6qp-x99x
- VulnCheck Advisory: SurrealDB before 2.0.4 Denial of Service via Parser Exception https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-parser-exception