CVE-2023-36827

moderate-risk
Published 2023-07-05

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides `2.15.1`. If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.

Do I need to act?

-
0.18% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Ethyca

References (6)

Patch https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f
Release Notes https://github.com/ethyca/fides/releases/tag/2.15.1
Mitigation https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq
Patch https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f
Release Notes https://github.com/ethyca/fides/releases/tag/2.15.1
Mitigation https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq
32
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal