CVE-2023-35844
Published: 19 June 2023
Summary
CVE-2023-35844 is a high-severity Path Traversal (CWE-22) vulnerability in Lightdash Lightdash. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Lightdash versions prior to 0.510.3 contain a path traversal vulnerability (CWE-22) in the file-handling endpoints located in packages/backend/src/routers. The affected routers accept requests that include .. sequences and fail to enforce that only the intended .csv or .png extensions are served, allowing unauthorized access to files outside the designated directories. The issue carries a CVSS 3.1 score of 7.5 reflecting network attackability without authentication or user interaction.
An unauthenticated remote attacker can send crafted requests to these endpoints and retrieve arbitrary files from the server filesystem, resulting in disclosure of sensitive data with high confidentiality impact. No privileges are required, and the attack can be performed directly over the network.
Public references, including the Lightdash GitHub commit fcc808c, the 0.510.2-to-0.510.3 diff, and pull request 5090, document the corrective changes that close the traversal vectors and enforce extension checks. The associated advisory at advisory.dw1.io/59 recommends upgrading to version 0.510.3 or later. The EPSS score remains elevated near 0.92 with no material rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39837
Vulnerability details
packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.