Surrealdb · Surrealdb · CVE-2024-58367
**Name of the Vulnerable Software and Affected Versions**
SurrealDB versions prior to 2.0.4
**Description**
Authorized users can bypass field permissions during SELECT, UPDATE, and DELETE operations to access unauthorized field values. This is achieved through various query techniques, including the use of SELECT VALUE operations, field aliasing, function arguments, WHERE clause filtering, RETURN BEFORE clauses, and SET clause references, which allow the leakage of protected field contents even when SELECT permissions are absent.
**Recommendations**
Update SurrealDB to version 2.0.4 or later.