Server-Side Request Forgery Vulnerability in Custom Integration Upload
CVE-2023-46124

8.2HIGH

Key Information:

Vendor

Ethyca

Status
Fides
Vendor
CVE Published:
25 October 2023

What is CVE-2023-46124?

Fides, an open-source privacy engineering platform developed by Ethyca, has a vulnerability that allows attackers to execute arbitrary requests by uploading specially crafted YAML configuration and dataset files. These files exploit a lack of proper validation in the web application, enabling access to internal systems and the potential exfiltration of sensitive data. The flaw is significant as it bypasses localhost protections, compromising the integrity of runtime environments where Fides operates. This security risk has been addressed in the release of Fides version 2.22.1.

Affected Version(s)

fides < 2.22.1

References

https://github.com/ethyca/fides/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/ethyca/fides/commit/cd344d016b1441662a...
x_refsource_MISC
https://github.com/ethyca/fides/releases/tag/2.22.1
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.