Security advisory: Vulnerabilities in WebSocket transport

Recently discovered vulnerabilities in Cube's WebSocket transport implementation, specifically affecting versions 0.27.19 to 1.5.14, have been patched following an internal security audit. The vulnerabilities, one with a high CVSS rating allowing privilege escalation and another with a moderate rating enabling denial of service attacks, were found in deployments where the WebSocket transport was explicitly enabled. There is no evidence of these vulnerabilities being exploited in the wild. Cube Core users are urged to upgrade their deployments to versions 1.6.0, 1.5.15, 1.4.2, or 1.0.14, which address the issues, while Cube Cloud deployments have already been secured. Users are advised to review changelog entries for potential breaking changes when upgrading and to contact Cube Cloud customer success for further assistance. Cube emphasizes its commitment to security by implementing a secure development lifecycle and enhancing security controls, detailed further in their trust center.