CVE-2024-58367
Vulnerability Description
SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references to leak protected field contents despite lacking SELECT permissions.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-285
Source
NVD
Vendor
surrealdb
Product
surrealdb
Discussion (0)
Add Comment
No comments yet. Be the first!