Description

Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption. There are currently no workaround for older versions, and the recommendation is to upgrade.

Remediation

References

https://github.com/cube-js/cube/releases/tag/v0.34.34

https://github.com/cube-js/cube/security/advisories/GHSA-9759-3276-g2pm

Related Vulnerabilities

CVE-2020-14000 Vulnerability in npm package scratch-vm

CVE-2018-1000160 Vulnerability in npm package @risingstack/protect

CVE-2017-2646 Vulnerability in maven package org.keycloak:keycloak-saml-core

CVE-2020-2137 Vulnerability in maven package org.jenkins-ci.plugins:timestamper

CVE-2021-32809 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Release Notes Third Party Advisory NVD-CWE-noinfo