GHSA-x5fr-7hhj-34j3: 
Rust vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-x5fr-7hhj-34j3) was discovered in SurrealDB affecting versions prior to 1.0.1. The vulnerability relates to default table permissions being set to FULL instead of NONE, which was disclosed on December 14, 2023. This security issue affects the SurrealDB database system, particularly impacting table permission controls (GitHub Advisory).

The vulnerability stems from SurrealDB's default configuration where tables were automatically granted FULL permissions for SELECT, CREATE, UPDATE, and DELETE operations unless explicitly specified otherwise through the PERMISSIONS clause. The issue has been assigned a CVSS score of 8.8 (High), with the following characteristics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, and High impact on Confidentiality, Integrity, and Availability (GitHub Advisory).

The vulnerability allows any authorized client to have full access to tables defined without explicit permissions within their authorization scope (namespace or database). This impact is particularly significant for SurrealDB instances with guest access and publicly exposed interfaces (HTTP REST API or WebSocket API), where unauthenticated remote users could potentially gain complete access to tables lacking explicit permission definitions (GitHub Advisory).

The issue has been patched in version 1.0.1 and later releases, including version 1.1.0-beta.1 and latest nightly releases. In patched versions, tables defined without explicit permissions default to NONE permissions, and table permissions are always explicitly displayed with the INFO FOR DB statement. For unpatched versions, users can mitigate the issue by explicitly defining table permissions using the PERMISSIONS clause, such as 'DEFINE TABLE secure PERMISSIONS NONE' or more granular permission definitions (GitHub Advisory).