Vulnerabilities/

@cubejs-backend/api-gateway row level security bypass

Severity:
High

Description

All authenticated Cube clients could bypass row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint.

Recommendation

Update the @cubejs-backend/api-gateway package to the latest compatible version. Followings are version details:

References

Related Issues

Tags:
npm
@cubejs-backend/api-gateway
Anything's wrong? Let us know Last updated on January 28, 2023

This issue is available in SmartScanner Professional

See Pricing