CVE-2024-6586
📋 TL;DR
Lightdash versions before 0.1027.2 contain a server-side request forgery (SSRF) vulnerability that allows authenticated users (Administrators or Editors) to create dashboards with malicious HTML elements. When victims export these dashboards, their session tokens are sent to attacker-controlled servers, enabling session takeover. This affects all Lightdash instances running vulnerable versions.
💻 Affected Systems
- Lightdash
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Lightdash instance with administrative privileges obtained, leading to data exfiltration, privilege escalation, and potential lateral movement within the network.
Likely Case
Session takeover of users who export malicious dashboards, allowing attackers to perform actions as those users including data access, dashboard manipulation, and privilege escalation.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially only affecting isolated Lightdash instances with no sensitive data.
🎯 Exploit Status
Exploit requires initial dashboard creation by authenticated user, but subsequent exploitation is simple. Public proof-of-concept available in GitHub advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1027.2
Vendor Advisory: https://github.com/google/security-research/security/advisories/GHSA-4h7x-6vxh-7hjf
Restart Required: Yes
Instructions:
1. Backup your Lightdash instance. 2. Update to version 0.1027.2 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the Lightdash service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict dashboard creation permissions
allLimit dashboard creation to trusted administrators only and review existing dashboards for suspicious HTML elements.
Network segmentation
allBlock outbound HTTP/HTTPS requests from Lightdash servers to external networks to prevent SSRF callbacks.
🧯 If You Can't Patch
- Implement strict review process for all new dashboards before allowing export functionality
- Monitor network traffic for suspicious outbound requests from Lightdash servers to unknown domains
🔍 How to Verify
Check if Vulnerable:
Check Lightdash version via web interface or API. If version is below 0.1027.2, instance is vulnerable.Check Version:
curl -s http://lightdash-host/api/v1/health | grep versionVerify Fix Applied:
After updating, confirm version is 0.1027.2 or higher and test dashboard export functionality with monitoring for external requests.📡 Detection & Monitoring
Log Indicators:
- Multiple failed export attempts
- Unusual dashboard creation patterns
- Export requests to /api/v1/dashboards/*/export with suspicious parameters
Network Indicators:
- Outbound HTTP/HTTPS requests from Lightdash server to unknown domains following dashboard exports
- Unusual traffic patterns during export operations
SIEM Query:
source="lightdash" AND (uri_path="/api/v1/dashboards/*/export" OR message="export") AND (status="error" OR response_time>5000)🔗 References
- https://github.com/google/security-research/security/advisories/GHSA-4h7x-6vxh-7hjf
- https://github.com/lightdash/lightdash
- https://github.com/lightdash/lightdash/pull/9295
- https://github.com/lightdash/lightdash/releases/tag/0.1027.2
- https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch
- https://www.cve.org/CVERecord?id=CVE-2024-6586
