GHSA-27vq-hv74-7cqp: 
Rust vulnerability analysis and mitigation

A vulnerability was discovered in SurrealDB (versions >= 2.0.0, < 2.1.4) where the OVERWRITE clause of the DEFINE TABLE statement failed to properly overwrite data for tables defined with TYPE RELATION. The issue was disclosed on December 16, 2024, and has been assigned identifier GHSA-27vq-hv74-7cqp. This vulnerability particularly affects the table permissions functionality in SurrealDB (GitHub Advisory).

The vulnerability has been assessed with a CVSS v4.0 score of 2.3 (Low severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. The issue specifically occurs when attempting to use the OVERWRITE clause with DEFINE TABLE statements on tables that were defined with TYPE RELATION, where the system silently fails to update the table definition, including its permissions settings (GitHub Advisory).

When users attempt to update table permissions of a table defined with TYPE RELATION using DEFINE TABLE ... OVERWRITE, the permissions for the table remain unchanged without any error notification. This could lead to a situation where clients authorized to run queries in a SurrealDB server might retain access to data in specific tables that they should have been restricted from accessing after the intended permission changes (GitHub Advisory).

Users are advised to upgrade to version 2.1.4 or later, which contains the fix for this issue. For those unable to update immediately, two workarounds are available: 1) Verify the intended permissions are in place using the INFO FOR DB statement after any permission changes, 2) If updates are required for a table with TYPE RELATION, remove the table and redefine it from scratch with the intended permissions, ensuring to back up data to a temporary table first (GitHub Advisory).