Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Configurations
History
04 Sep 2025, 15:58
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Pinterest
Pinterest querybook |
|
| CPE | cpe:2.3:a:pinterest:querybook:*:*:*:*:*:*:*:* | |
| References | () https://github.com/pinterest/querybook/pull/1425 - Patch | |
| References | () https://github.com/pinterest/querybook/security/advisories/GHSA-5349-j4c9-x767 - Vendor Advisory |
21 Nov 2024, 09:06
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/pinterest/querybook/pull/1425 - | |
| References | () https://github.com/pinterest/querybook/security/advisories/GHSA-5349-j4c9-x767 - |
14 Mar 2024, 00:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-03-14 00:15
Updated : 2025-09-04 15:58
NVD link : CVE-2024-28251
Mitre link : CVE-2024-28251
CVE.ORG link : CVE-2024-28251
JSON object : View
Products Affected
- querybook
CWE
CWE-345
Insufficient Verification of Data Authenticity