CVE-2024-28251 Information

Description

Querybook is a Big Data Querying UI combining collocated table metadata and a simple notebook interface. Querybook’s datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Reference

https://github.com/pinterest/querybook/security/advisories/GHSA-5349-j4c9-x767 https://github.com/pinterest/querybook/pull/1425