cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to 0.31.24 or to downgrade to 0.31.22. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/cube-js/cube.js/commit/3c614674fed6ca17df08bbba8c835ef110167570 | Patch Third Party Advisory |
https://github.com/cube-js/cube.js/commit/f1140de508e359970ac82b50bae1c4bf152f6041 | Patch Third Party Advisory |
https://github.com/cube-js/cube.js/security/advisories/GHSA-6jqm-3c9g-pch7 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-12-09T22:12:10.191Z
Updated:
Reserved: 2022-01-19T21:23:53.775Z
Link: CVE-2022-23510
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-12-09T23:15:22.227
Modified: 2022-12-13T15:07:13.027
Link: CVE-2022-23510
JSON object: View
Redhat Information
No data.
CWE