GHSA-jc55-246c-r88f: 
Rust vulnerability analysis and mitigation

A security vulnerability (GHSA-jc55-246c-r88f) was discovered in SurrealDB affecting versions prior to 2.1.0. The issue involves an uncaught exception when handling nonexistent roles, where roles for system users are stored as generic Ident values and converted into the Role enum during IAM operations. The vulnerability was discovered and disclosed on November 22, 2024, affecting both surrealdb and surrealdb-core Rust packages (GitHub Advisory).

The vulnerability stems from the implementation of std::convert::From<&Ident> for Role, where the unwrap() method was called on the conversion result. The conversion expects identifiers to only contain the values owner, editor, and viewer, returning an error for other values. However, when a nonexistent role was used, the unwrap() call would result in a panic. The vulnerability has been assigned a CVSS score of 4.9 (Moderate) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

A privileged user with the owner role at any level in SurrealDB could define a user with DEFINE USER command using a nonexistent role. When attempting to perform certain IAM operations with that user, including signing in, the server would crash due to the panic, resulting in a denial of service condition (GitHub Advisory).

The issue has been patched in version 2.1.0, where nonexistent roles are no longer accepted during parsing when defining a user. Additionally, referencing nonexistent roles will now throw an InvalidRole error instead of panicking. For users unable to update, it is recommended to limit access to users with the owner role to trusted parties only and ensure the SurrealDB process is configured to automatically restart after a crash (GitHub Advisory, SurrealDB PR).