CVE-2024-28251

Name of the Vulnerable Software and Affected Versions Querybook versions prior to 3.32.0

Description The issue concerns Querybook, a Big Data Querying UI that combines collocated table metadata and a simple notebook interface. Querybook's datadocs functionality uses a Websocket Server, allowing clients to update, delete, read cells, and watch the live status of query executions. The CORS setting currently allows all origins, which could result in cross-site websocket hijacking, enabling attackers to read, edit, or remove datadocs of the user.

Recommendations For versions prior to 3.32.0, upgrade to version 3.32.0 to address the issue. As a temporary workaround, consider restricting access to the Websocket Server to minimize the risk of exploitation. Avoid using the datadocs functionality until the issue is resolved.