CVE-2023-50709: 
JavaScript vulnerability analysis and mitigation

Cube, a semantic layer for building data applications, disclosed a vulnerability (CVE-2023-50709) prior to version 0.34.34. The vulnerability allows attackers to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while GitHub assigned it a score of 6.5 MEDIUM with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) by GitHub (NVD).

The vulnerability can result in a denial of service condition, making the entire Cube API unavailable when exploited. This primarily affects the availability of the service, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 0.34.34. Users are strongly recommended to upgrade to this version or later, especially if their Cube APIs are exposed to the public internet. There are no workarounds available for older versions (GitHub Advisory, Release Notes).

The issue was initially reported by user y0d3n in the Cube Community Slack and was promptly patched in the update (GitHub Advisory).