Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| dagster(PyPI) | 0 | 1.10.16 | N/A |
CVSS Metrics
