CVE-2022-23510: 
JavaScript vulnerability analysis and mitigation

CVE-2022-23510 affects cube-js, a headless business intelligence platform. In version 0.31.23, all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. The vulnerability was discovered and disclosed in December 2022, and was patched in version 0.31.24 (GitHub Advisory).

The vulnerability was introduced through a new endpoint /v1/sql-runner that allowed adding arbitrary queries directly to the queue, bypassing the modeling layer. This implementation completely circumvented row-level security logic, allowing any user with a valid Cube JWT token to fetch unauthorized data. The vulnerability has a CVSS v3.1 base score of 9.6 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (GitHub Advisory).

The vulnerability allowed authenticated users to bypass row-level security restrictions and execute arbitrary SQL queries, potentially accessing sensitive data they were not authorized to view. This represented a significant security breach in data access controls (GitHub Advisory).

Users are advised to either upgrade to version 0.31.24 or downgrade to version 0.31.22 or earlier. The vulnerable version 0.31.23 was pulled from all registries upon discovery of the vulnerability. There are no other known workarounds for this vulnerability (GitHub Advisory).

The Cube Core team noticed the issue and took immediate action by revoking version 0.31.23 from all registries and publishing a CVE on GitHub. The vulnerability was introduced through a code review oversight where the security implications of the new endpoint were not fully considered (GitHub Advisory).