CVE-2023-50709 – @cubejs-backend/api-gateway

Package

Manager: npm
Name: @cubejs-backend/api-gateway
Vulnerable Version: >=0 <0.34.34

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00169 pctl0.3859

Details

Cube API denial of service attack ### Impact It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. ### Patches The issue has been patched in the `v0.34.34` and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption. ### Workarounds There are currently no workaround for older versions, and the recommendation is to upgrade. ### References The issue was reported by [y0d3n](https://github.com/y0d3n) in our Community Slack and has been promptly patched in the recent update.

Metadata

Created: 2023-12-13T23:15:56Z
Modified: 2023-12-19T20:39:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-9759-3276-g2pm/GHSA-9759-3276-g2pm.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-9759-3276-g2pm
Finding: F184
Auto approve: 1