CVE-2023-35844 in Lightdash
Summary
by MITRE • 06/19/2023
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/12/2024
The vulnerability identified as CVE-2023-35844 affects Lightdash versions prior to 0.510.3 and resides within the backend file handling components located in packages/backend/src/routers. This issue represents a critical security flaw that exposes the application to directory traversal attacks and improper file validation mechanisms. The affected code path processes file endpoints without adequate input sanitization, creating opportunities for malicious actors to access unauthorized files within the system's file hierarchy.
The technical implementation flaw stems from insufficient validation of file paths and extensions within the router handlers. Specifically, the application fails to properly sanitize user-supplied input that determines file access paths, allowing attackers to utilize directory traversal sequences such as .. to navigate beyond the intended directory boundaries. This weakness directly maps to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory and CWE-73 - External Control of File Name or Path. The vulnerability enables attackers to potentially access sensitive files that should remain protected within the application's restricted file system access boundaries.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it provides attackers with the ability to retrieve arbitrary files from the server's file system. The lack of proper file extension validation means that an attacker could potentially request files with extensions that may not be intended for public access, potentially leading to data exfiltration or further exploitation. This vulnerability particularly affects environments where Lightdash serves as a data visualization platform, as it could expose database connection strings, configuration files, or other sensitive artifacts stored within the application's file system. The attack surface is further expanded by the fact that this vulnerability affects endpoints that are likely accessible to authenticated users, potentially enabling privilege escalation scenarios.
Mitigation strategies for CVE-2023-35844 should focus on implementing proper input validation and path sanitization mechanisms. Organizations should immediately upgrade to Lightdash version 0.510.3 or later, which contains the necessary fixes for this vulnerability. Additionally, administrators should implement proper file access controls and ensure that all file path resolution operations validate against a whitelist of allowed extensions. The solution should incorporate proper path normalization and directory traversal prevention techniques, ensuring that all file access operations validate that requested files fall within predetermined safe directories. This vulnerability also aligns with ATT&CK technique T1078 - Valid Accounts and T1566 - Phishing, as it may enable attackers to gain access to sensitive data that could be used for further reconnaissance or credential theft activities.