CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37480 – Fides Webserver Vulnerable to Zip Bomb File Uploads
https://notcve.org/view.php?id=CVE-2023-37480
18 Jul 2023 — Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elev... • https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37481 – Fides Webserver Vulnerable to SVG Bomb File Uploads
https://notcve.org/view.php?id=CVE-2023-37481
18 Jul 2023 — Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides ve... • https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36827 – Fides vulnerable to Path Traversal in Webserver API
https://notcve.org/view.php?id=CVE-2023-36827
05 Jul 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides `2.15.1`. If the Fides webserver API is not directly accessible to attackers and is i... • https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •