CVE-2023-37481

Published: Jul 18, 2023

Modified: Oct 18, 2024

PUBLISHED

CVSS v3.1

2.7

LOW

Description

Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.

Vendor	Product	Versions
ethyca	fides	affected `>= 2.11.0, < 2.16.0`

Weaknesses (CWE)

CWE-400

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5

x_refsource_CONFIRM

https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37481

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References