CVE-2024-58369
MEDIUM
6.5
CVSS 3.1
Description
SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities at unsupported levels to crash the SurrealDB server, resulting in denial of service.
Metadata
Severity & Metrics
6.5
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| surrealdb | surrealdb | — | 0 < 1.1.1, 1.1.1 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-248 | cna | Uncaught Exception |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.1 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 6.5 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (2)
- GitHub Security Advisory (GHSA-jm4v-58r5-66hj) https://github.com/surrealdb/surrealdb/security/advisories/GHSA-jm4v-58r5-66hj
- VulnCheck Advisory: SurrealDB before 1.1.1 Denial of Service via Global Parameters https://www.vulncheck.com/advisories/surrealdb-before-denial-of-service-via-global-parameters