CVE-2023-35844
published 2023-06-19CVE-2023-35844: packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.34%
92.8th percentile
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lightdash | lightdash | < 0.510.3 | 0.510.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP GET requests to /api/v1/slack/image/ containing URL-encoded path traversal sequences (%2F..) targeting files outside the intended directory (e.g., /etc/passwd). ↗
- →Successful exploitation returns HTTP 200 with content matching root:[x*]:0:0, indicating arbitrary file read of /etc/passwd. ↗
- →The vulnerable endpoint does not enforce intended file extensions (.csv or .png), so requests lacking these extensions but traversing directories should be flagged. ↗
- →Use Shodan/FOFA queries to identify exposed Lightdash instances: title:"Lightdash" or title="lightdash". ↗
- ·The vulnerability is unauthenticated (PR:N), meaning no credentials are required to exploit the path traversal endpoint. ↗
- ·Affected versions are Lightdash <= 0.510.3; the fix was introduced in 0.510.3 via commit fcc808c84c2cc3afb343063e32a49440d32a553c. ↗
- ·EPSS score is extremely high (0.92336, 99.7th percentile), indicating active exploitation in the wild is very likely. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x8qg-5w28-wmr9: packages/backend/src/routers in Lightdash before 0
ghsa_unreviewed·2023-06-19
CVE-2023-35844 [HIGH] CWE-22 GHSA-x8qg-5w28-wmr9: packages/backend/src/routers in Lightdash before 0
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
VulnCheck
lightdash lightdash Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 7.5
CVE-2023-35844 [HIGH] lightdash lightdash Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
lightdash lightdash Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
Affected: lightdash lightdash
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-35844; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-2023-35844; https://dashboard.sh
No detection rules found.
Nuclei
Lightdash version <= 0.510.3 Arbitrary File Read
nuclei·CVSS 7.5
CVE-2023-35844 [HIGH] Lightdash version <= 0.510.3 Arbitrary File Read
Lightdash version <= 0.510.3 Arbitrary File Read
packages/backend/src/routers in Lightdash before 0.510.3
has insecure file endpoints, e.g., they allow .. directory
traversal and do not ensure that an intended file extension
(.csv or .png) is used.
Template:
id: CVE-2023-35844
info:
name: Lightdash version <= 0.510.3 Arbitrary File Read
author: dwisiswant0
severity: high
description: |
packages/backend/src/routers in Lightdash before 0.510.3
has insecure file endpoints, e.g., they allow .. directory
traversal and do not ensure that an intended file extension
(.csv or .png) is used.
impact: |
The vulnerability can lead to unauthorized access to sensitive information, potentially exposing user credentials, database credentials, and other confidential data.
remediation: |
Upgrade Lightdas
https://advisory.dw1.io/59https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553chttps://github.com/lightdash/lightdash/compare/0.510.2...0.510.3https://github.com/lightdash/lightdash/pull/5090https://advisory.dw1.io/59https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553chttps://github.com/lightdash/lightdash/compare/0.510.2...0.510.3https://github.com/lightdash/lightdash/pull/5090
2023-06-19
Published
Exploited in the wild