1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-6586, affects Lightdash version 0.1024.6. It allows an attacker to achieve session takeover by exploiting a Server-Side Request Forgery (SSRF) vulnerability during the dashboard export process. Users with sufficient permissions, such as Administrator or Editor, can create and share dashboards. If a dashboard contains specially crafted HTML elements that point to an attacker-controlled external source, exporting this dashboard will trigger an SSRF request. This forged request inadvertently includes the exporting user's session token. An attacker can then intercept this session token and use it to impersonate the victim user, gaining unauthorized access to their account and performing actions within the application as if they were the legitimate user. This is critical because it compromises user authentication and can lead to unauthorized data access, modification, or complete control over compromised accounts, including those with elevated privileges.

2. What are the CVSS score, severity level, and disclosure details?

The Common Vulnerability Scoring System (CVSS) score for CVE-2024-6586 is not available (None). Therefore, a formal CVSS-based severity level cannot be determined from the provided data. The vulnerability was published on August 30, 2024, at 22:25:48 UTC, and last modified on September 03, 2024, at 14:50:25 UTC.

3. Which products, vendors, systems, and versions are affected?

The vulnerability affects the following:

• Product: Lightdash
• Version: 0.1024.6

4. What is the technical root cause and attack vector?

The technical root cause of CVE-2024-6586 is an improper handling of external HTML elements within Lightdash dashboards during the export process. Specifically, the application fails to adequately sanitize or restrict HTML content that can point to external resources. When a dashboard containing such malicious HTML is exported, the application performs a Server-Side Request Forgery (SSRF) to the attacker's controlled source. The attack vector involves a threat actor, who possesses Administrator or Editor permissions, creating a malicious dashboard. This dashboard is crafted to include HTML elements that, upon export, cause the Lightdash server to make an outbound request to a URL controlled by the attacker. During this SSRF request, the session token of the user initiating the export is included in the forged request, allowing the attacker to capture it. The vulnerability is also categorized under CWE-201 (Information Exposure Through Sent Data).

5. How can this vulnerability be exploited?

This vulnerability can be exploited by a threat actor who has existing permissions to create and share dashboards (e.g., Administrator or Editor roles) within Lightdash version 0.1024.6. The exploitation steps are as follows:

1. The attacker creates a new dashboard or modifies an existing one.
2. Within this dashboard, the attacker embeds HTML elements that are configured to point to a server or endpoint controlled by the attacker. These HTML elements are designed to trigger an outbound request when the dashboard is processed for export.
3. The attacker then shares this malicious dashboard, or waits for any legitimate user (including other administrators or editors) to export it.
4. When a victim user exports the crafted dashboard via a POST request to the /api/v1/dashboards//export endpoint, the malicious HTML elements trigger an SSRF request to the attacker's controlled server.
5. Crucially, the forged request contains the exporting user's session token.
6. The attacker, monitoring their controlled server, captures this session token.
7. With the captured session token, the attacker can then perform a session takeover, impersonating the victim user and executing actions within Lightdash with the victim's privileges.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-6586 is High. Although the vulnerability requires an attacker to have existing Administrator or Editor permissions to create the malicious dashboard, the subsequent impact is severe: session takeover of any user who exports the dashboard, including other high-privilege users. This allows for complete compromise of user accounts and potentially unauthorized access to sensitive data or system control. The urgency level is High. Organizations using Lightdash version 0.1024.6 should address this vulnerability immediately to prevent potential session hijacking and unauthorized access.