Name of the Vulnerable Software and Affected Versions: SurrealDB versions prior to 2.0.4

Description: The issue arises from the order in which permissions are processed, leading to potential leaks of field values or record contents to users without the required permissions. This can occur in various scenarios, including SELECT operations, aliasing fields, calling functions within SELECT queries, executing queries with WHERE clauses, and performing UPDATE or DELETE operations. The behavior could be exploited by users already authorized to execute queries on the database, allowing them to gain knowledge of the value of a field or the contents of records they are not authorized to access.

Recommendations: For versions prior to 2.0.4, as a temporary workaround, consider restricting read access to fields at the table level instead of relying on field permissions for the SELECT permission. When allowing UPDATE or DELETE operations via table permissions, do not allow clients to perform these actions on records they should not be able to view. Update to version 2.0.4 or later to resolve the issue.