CVE-2023-35844

Name of the Vulnerable Software and Affected Versions Lightdash versions prior to 0.510.3

Description The issue is related to incorrect restriction of a directory path name with limited access. This can allow a remote attacker to gain unauthorized access to protected information. The vulnerability involves insecure file endpoints, such as allowing directory traversal and not ensuring the use of intended file extensions like .csv or .png. Approximately 78 potentially affected devices have been identified.

Recommendations For versions prior to 0.510.3, update to version 0.510.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable file endpoints in the packages/backend/src/routers directory until a patch is applied. Avoid using the vulnerable file endpoints, which allow directory traversal, until the issue is resolved.