Fides vulnerable to Path Traversal in Webserver API
CVE-2023-36827

7.5HIGH

Key Information:

Vendor

Ethyca

Status
Fides
Vendor
CVE Published:
5 July 2023

What is CVE-2023-36827?

The Fides open-source privacy engineering platform has a path traversal vulnerability that affects versions earlier than 2.15.1. This allows remote attackers to potentially access arbitrary files within the Fides webserver container's filesystem. While the vulnerability is addressed in version 2.15.1, it can pose a significant risk if the Fides webserver API is exposed directly to attackers. To mitigate this risk, it is advisable to deploy Fides behind a reverse proxy, such as the AWS application load balancer, which will reject such attacks. Additionally, using environment variables for container secrets instead of the configuration file helps safeguard sensitive information from this vulnerability.

Affected Version(s)

fides < 2.15.1

References

https://github.com/ethyca/fides/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/ethyca/fides/commit/f526d9ffb176006d70...
x_refsource_MISC
https://github.com/ethyca/fides/releases/tag/2.15.1
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.