从这个网页截图中,可以获取到以下关于漏洞的关键信息: 1. 漏洞名称:Lightdash - Server-Side Request Forgery Session Takeover 2. 漏洞等级:High 3. 漏洞描述: - Summary:Server-Side Request Forgery (SSRF) in the export dashboard functionality of Lightdash version 0.1024.6 allows remote authenticated threat actors to obtain the session cookie of any user who exports a crafted dashboard. When they are exported, dashboards containing HTML elements can trigger HTTP requests to an external domain that contain the exporting user's session cookie. The cookie could be stolen by a threat actor and used to hijack application user sessions. 4. 漏洞影响: - Severity:HIGH - Exploitation of this vulnerability could lead to user session compromise and allow a threat actor to take over user sessions. If an administrative user is targeted, the threat actor could gain administrative control over the Lightdash instance. 5. 漏洞利用: - Proof of Concept:Exploitation of this vulnerability requires a threat actor to inject HTML elements into a shared dashboard which point to a threat actor controlled source. Any user who exports the dashboard will leak their session token to the threat actor. 6. 漏洞复现步骤: - 1. Log into the application with a user that has permissions to create a new dashboard. - 2. Create a new markdown dashboard containing HTML injection payloads pointing to Burp Collaborator and save the dashboard. - 3. Click on the "Export Dashboard" menu and click "Generate preview". - 4. Wait for the preview to generate and observe a HTTP request to Burp Collaborator which contains the session cookie for the user who initiated the preview generation. - 5. Share the dashboard with a simulated victim user. - 6. Log into the application as a simulated victim user and recreate the steps to generate a preview of the dashboard. - 7. Wait for the preview to generate and observe that the simulated victim user's session cookie was exfiltrated to Burp Collaborator. 7. 进一步分析: - A threat actor must be authenticated to the application and possess the necessary permissions to create or edit a shared dashboard and inject a payload. Any user exporting the dashboard will trigger the vulnerability and leak their session token. A threat actor could wait for a user to trigger the SSRF during organic application interaction or force the user to perform the action with cross-site scripting, as described in CVE-2024-6585. 8. 供应商分析: - The vendor determined that the root cause of this issue was Puppeteer setting sensitive headers + cookies on requests to headless browser. The issue was remediated in version 0.1027.2. 9. 修复信息: - Remediated Version: https://github.com/lightdash/lightdash/releases/tag/0.1027.2 - Git Patch: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch - GitHub Pull Request: lightdash/lightdash#9295 10. 时间线: - Date reported: 03/07/2024 - Date fixed: 03/8/2024 - Date disclosed: 08/30/2024 这些信息详细描述了Lightdash中的SSRF漏洞的性质、影响、复现步骤、进一步分析、供应商分析、修复信息和时间线,有助于理解漏洞的严重性和修复情况。