Headline
CVE-2023-37481: Merge pull request from GHSA-3rw2-wfc8-wmj5 · ethyca/fides@8beaace
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the ‘new connector’ page (datastore-connection/new
). This vulnerability affects Fides versions 2.11.0
through 2.15.1
. Exploitation is limited to users with elevated privileges with the CONNECTOR_TEMPLATE_REGISTER
scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version 2.16.0
. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.
Expand Up
@@ -3,10 +3,57 @@
import pytest
from fides.api.util.unsafe_file_util import verify_zip
from fides.api.common_exceptions import ValidationError
from fides.api.util.unsafe_file_util import verify_svg, verify_zip
from tests.ops.test_helpers.saas_test_utils import create_zip_file
class TestVerifySvg:
def test_verify_svg(self):
verify_svg(
“""<svg xmlns="http://www.w3.org/2000/svg” viewBox="0 0 100 100">
<circle cx="50" cy="50" r="40"/>
</svg>
“"”
)
def test_verify_svg_no_laughing_allowed(self):
“""Test “billion laughs attack” is prevented""”
with pytest.raises(ValidationError) as exc:
verify_svg(
“""<?xml version="1.0” encoding="UTF-8" standalone="yes"?>
<!DOCTYPE svg [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<svg>
<lolz>&lol9;</lolz>
</svg>
“"”
)
assert “SVG file contains unsafe XML.” in str(exc.value)
def test_verify_svg_with_xlink(self):
with pytest.raises(ValidationError) as exc:
verify_svg(
“""<svg xmlns="http://www.w3.org/2000/svg” xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
<circle id="circle" cx="50" cy="50" r="40"/>
<use xlink:href="#circle"/>
</svg>
“"”
)
assert “SVG files with xlink references are not allowed.” in str(exc.value)
class TestVerifyZip:
@pytest.fixture
def zip_file(self) -> BytesIO:
Expand Down
Related news
### Impact The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. ### Patches The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There is no known workaround to remediate this vulnerability without upgrading.