Skip to main content

Fides CVE-2023-36827

HIGH
Path Traversal (CWE-22)
2023-07-05 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 05, 2023 - 22:15 nvd
HIGH 7.5

DescriptionNVD

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version 2.15.1, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides 2.15.1.

If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a fides.toml configuration file are not affected by this vulnerability.

AnalysisAI

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version 2.15.1, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides 2.15.1. If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a fides.toml configuration file are not affected by this vulnerability. Affected products include: Ethyca Fides.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Fides

View all
CVE-2024-45053 HIGH POC
7.2 Sep 04

Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp

CVE-2024-35189 MEDIUM POC
6.5 May 30

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-38537 CRITICAL
9.8 Jul 02

Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2024-45052 MEDIUM POC
5.3 Sep 04

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e

CVE-2024-31223 MEDIUM POC
5.3 Jul 03

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration env

CVE-2023-48224 CRITICAL
9.1 Nov 15

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2024-34715 LOW POC
3.3 May 29

Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co

CVE-2023-46124 HIGH
7.2 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

CVE-2023-41319 HIGH
7.2 Sep 06

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-46125 MEDIUM
6.5 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-47114 MEDIUM
6.1 Nov 08

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti

CVE-2023-46126 MEDIUM
5.4 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

Share

CVE-2023-36827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy