CVE-2023-35844 Overview
CVE-2023-35844 is a path traversal vulnerability affecting Lightdash, an open-source business intelligence platform. The vulnerability exists in packages/backend/src/routers where insecure file endpoints fail to properly validate user-supplied input, allowing attackers to use .. directory traversal sequences to access arbitrary files on the server. Additionally, the application does not enforce that downloaded files have intended extensions (.csv or .png), enabling attackers to retrieve sensitive files outside the expected directories.
Critical Impact
This vulnerability allows unauthenticated remote attackers to read arbitrary files from the server, potentially exposing configuration files, credentials, application source code, and other sensitive data stored on the system.
Affected Products
- Lightdash versions prior to 0.510.3
- Lightdash packages/backend/src/routers component
- All Lightdash deployments with exposed file download endpoints
Discovery Timeline
- 2023-06-19 - CVE-2023-35844 published to NVD
- 2024-12-12 - Last updated in NVD database
Technical Details for CVE-2023-35844
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) exists in the file endpoint handlers within Lightdash's backend routing module. The vulnerability allows attackers to manipulate file path parameters to escape the intended directory structure and access files anywhere on the filesystem that the application has read permissions for.
The core issue stems from two security deficiencies: First, the application fails to sanitize or validate path components containing directory traversal sequences like ... Second, there is no enforcement of expected file extensions, meaning attackers are not restricted to retrieving only .csv or .png files as intended by the application design.
This vulnerability is network-accessible without requiring authentication, making it particularly dangerous for internet-exposed Lightdash instances. Successful exploitation could lead to disclosure of sensitive configuration files, database credentials, API keys, or other confidential information stored on the server.
Root Cause
The root cause is improper input validation in the file download endpoints within packages/backend/src/routers. The application directly uses user-supplied path parameters to construct file paths without sanitizing directory traversal sequences or validating that the resulting path remains within the intended directory. The lack of file extension validation compounds this issue by removing an additional layer of defense that could have limited exploitation.
Attack Vector
The attack is conducted over the network against Lightdash's HTTP endpoints. An attacker can craft malicious requests containing .. sequences in file path parameters to traverse directories and access arbitrary files. Since no authentication is required and the attack complexity is low, any attacker with network access to the Lightdash instance can exploit this vulnerability.
A typical attack scenario involves:
- Identifying a vulnerable Lightdash file endpoint
- Crafting a request with directory traversal sequences (e.g., ../../../etc/passwd)
- Receiving the contents of sensitive files in the response
The vulnerability allows high-impact confidentiality breaches as attackers can read any file accessible to the Lightdash process, including configuration files with database credentials, environment variables, and application secrets.
Detection Methods for CVE-2023-35844
Indicators of Compromise
- HTTP requests to Lightdash file endpoints containing .. or %2e%2e sequences
- Unusual file access patterns in application logs referencing paths outside expected directories
- Access to sensitive system files like /etc/passwd, configuration files, or credential stores
- Anomalous network traffic patterns to Lightdash instances from unexpected sources
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns in requests
- Implement intrusion detection rules to alert on ../ sequences in URL parameters
- Review Lightdash access logs for requests to file endpoints with suspicious path components
- Deploy file integrity monitoring on sensitive configuration files and directories
Monitoring Recommendations
- Enable verbose logging on Lightdash file endpoints to capture full request paths
- Configure SIEM rules to correlate multiple path traversal attempts from the same source
- Monitor for data exfiltration indicators following potential exploitation attempts
- Implement real-time alerting for access to sensitive file paths from web application processes
How to Mitigate CVE-2023-35844
Immediate Actions Required
- Upgrade Lightdash to version 0.510.3 or later immediately
- If immediate patching is not possible, restrict network access to Lightdash instances
- Review access logs for evidence of exploitation attempts
- Audit any potentially exposed sensitive data and rotate credentials if necessary
Patch Information
Lightdash has addressed this vulnerability in version 0.510.3. The fix is available through GitHub Pull Request #5090 and the specific commit can be reviewed at GitHub Commit fcc808c84c2cc3afb343063e32a49440d32a553c. Release notes detailing changes between versions are available in the GitHub Release Comparison.
Additional technical details about this vulnerability can be found in the DW1 Security Advisory #59.
Workarounds
- Place Lightdash behind a reverse proxy or WAF with path traversal filtering rules
- Restrict access to Lightdash file download endpoints at the network level using firewall rules
- Implement IP allowlisting to limit access to trusted networks only
- Monitor and block requests containing directory traversal patterns (.., %2e%2e, etc.)
# Example nginx configuration to block path traversal attempts
location /api/ {
# Block requests containing path traversal sequences
if ($request_uri ~* "\.\.") {
return 403;
}
# Block URL-encoded traversal attempts
if ($request_uri ~* "%2e%2e") {
return 403;
}
proxy_pass http://lightdash_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
