Vulnerability Description
Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption. There are currently no workaround for older versions, and the recommendation is to upgrade.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cube | Cube.Js | < 0.34.34 |
Related Weaknesses (CWE)
References
- https://github.com/cube-js/cube/releases/tag/v0.34.34Release Notes
- https://github.com/cube-js/cube/security/advisories/GHSA-9759-3276-g2pmThird Party Advisory
- https://github.com/cube-js/cube/releases/tag/v0.34.34Release Notes
- https://github.com/cube-js/cube/security/advisories/GHSA-9759-3276-g2pmThird Party Advisory
FAQ
What is CVE-2023-50709?
CVE-2023-50709 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoi...
How severe is CVE-2023-50709?
CVE-2023-50709 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-50709?
Check the references section above for vendor advisories and patch information. Affected products include: Cube Cube.Js.