Listen to this Post
The vulnerability in SurrealDB’s LIVE SELECT statements stems from an incorrect security context application during the generation of real-time change notifications. When a user with a restricted permission set subscribes to a live query on a table, the system fails to properly re-apply that user’s security predicates to documents involved in DELETE operations or those matching the WHERE clause of the subscription during an update by a privileged user. Instead, the notification payload is constructed using the full document from the triggering user’s context, which has higher privileges. This flaw allows a low-privilege subscriber to receive full, unauthorized document data whenever another user modifies or deletes a record, effectively bypassing row-level security controls and leaking sensitive information.
Platform: SurrealDB
Version: <2.1.9, <2.2.8, <2.3.8, <3.0.0-alpha.8
Vulnerability: Authorization Bypass
Severity: Critical
date: 2024
Prediction: 2024-04-15
What Undercode Say:
`LIVE SELECT FROM table WHERE condition;`
`DEFINE TABLE user PERMISSIONS FOR select WHERE user = $auth;`
`– Subject: [CVE-2024-XXXX] SurrealDB Security Advisory`
How Exploit:
Subscribe to live query on a shared table. Monitor for notifications triggered by admin actions. Capture unauthorized data payloads from real-time updates and deletes.
Protection from this CVE:
Upgrade to patched versions: 2.1.9, 2.2.8, 2.3.8, or later. Isolate sensitive data into separate tables with strict access controls. Audit and minimize live query permissions.
Impact:
Confidentiality breach. Unauthorized data disclosure from table. Information leak dependent on other users’ actions. Bypasses access controls.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

