Advisories for Npm/@Cubejs-Backend/Server-Core package

Impact It is possible to make a specially crafted request with a valid API token that leads to privilege escalation. Affected Versions: ≥= 0.27.19 Mitigation: Upgrade to a patched version: 1.5.13 and later (regular release) 1.4.2 (active LTS release) 1.0.14 (end-of-life LTS release) References The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Impact It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. Affected Versions: >= 1.1.17 Mitigation: Upgrade to a patched version: 1.5.13 and later (regular release) 1.4.2 (active LTS release) References The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.