Cyber Resilience

CVE-2023-35844

HighPublic PoC

Published: 19 June 2023

Published
19 June 2023
Modified
12 December 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9204 99.7th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35844 is a high-severity Path Traversal (CWE-22) vulnerability in Lightdash Lightdash. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Lightdash versions prior to 0.510.3 contain a path traversal vulnerability (CWE-22) in the file-handling endpoints located in packages/backend/src/routers. The affected routers accept requests that include .. sequences and fail to enforce that only the intended .csv or .png extensions are served, allowing unauthorized access to files outside the designated directories. The issue carries a CVSS 3.1 score of 7.5 reflecting network attackability without authentication or user interaction.

An unauthenticated remote attacker can send crafted requests to these endpoints and retrieve arbitrary files from the server filesystem, resulting in disclosure of sensitive data with high confidentiality impact. No privileges are required, and the attack can be performed directly over the network.

Public references, including the Lightdash GitHub commit fcc808c, the 0.510.2-to-0.510.3 diff, and pull request 5090, document the corrective changes that close the traversal vectors and enforce extension checks. The associated advisory at advisory.dw1.io/59 recommends upgrading to version 0.510.3 or later. The EPSS score remains elevated near 0.92 with no material rise from a low baseline.

EU & UK References

Vulnerability details

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lightdash
lightdash
≤ 0.510.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References