Miggo Logo

CVE-2022-23510: @cubejs-backend/api-gateway row level security bypass

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.06121%
Published
12/12/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@cubejs-backend/api-gatewaynpm= 0.31.230.31.24

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key elements: 1) The sqlRunner method that executed raw SQL without applying row-level security filters from Cube's modeling layer. 2) The POST /v1/sql-runner endpoint that exposed this functionality to authenticated users. The security bypass is evident in the commit f1140de which completely removed these components, and the vulnerability description explicitly states this endpoint bypassed security contexts. The diff shows removal of both the route registration and sqlRunner method implementation, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ll *ut**nti**t** *u** *li*nts *oul* *yp*ss row-l*v*l s**urity *n* run *r*itr*ry SQL vi* t** n*wly intro*u*** /v*/sql-runn*r *n*point. ### P*t***s T** ***n** **s ***n r*v*rt** in *.**.** ### Work*roun*s Up*r*** to >=*.**.** or *own*r***

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *l*m*nts: *) T** `sqlRunn*r` m*t*o* t**t *x**ut** r*w SQL wit*out *pplyin* row-l*v*l s**urity *ilt*rs *rom *u**'s mo**lin* l*y*r. *) T** `POST /v*/sql-runn*r` *n*point t**t *xpos** t*is *un*tion*lity to *ut**nti