GHSA-9759-3276-G2PM

Vulnerability from github – Published: 2023-12-13 23:15 – Updated: 2023-12-19 20:39
VLAI?
Summary
Cube API denial of service attack
Details

Impact

It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.

Patches

The issue has been patched in the v0.34.34 and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption.

Workarounds

There are currently no workaround for older versions, and the recommendation is to upgrade.

References

The issue was reported by y0d3n in our Community Slack and has been promptly patched in the recent update.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cubejs-backend/api-gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.34.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T23:15:56Z",
    "nvd_published_at": "2023-12-13T22:15:43Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.\n\n### Patches\nThe issue has been patched in the `v0.34.34` and it\u0027s recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption.\n\n### Workarounds\nThere are currently no workaround for older versions, and the recommendation is to upgrade.\n\n### References\nThe issue was reported by [y0d3n](https://github.com/y0d3n) in our Community Slack and has been promptly patched in the recent update.",
  "id": "GHSA-9759-3276-g2pm",
  "modified": "2023-12-19T20:39:57Z",
  "published": "2023-12-13T23:15:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cube-js/cube/security/advisories/GHSA-9759-3276-g2pm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50709"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cube-js/cube"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cube-js/cube/releases/tag/v0.34.34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cube API denial of service attack"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.