CVE-2023-35844 Information

Description

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints e.g. they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.

Reference

https://github.com/lightdash/lightdash/compare/0.510.2…0.510.3 https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c https://github.com/lightdash/lightdash/pull/5090 https://advisory.dw1.io/59