Headline
CVE-2023-37480: Merge pull request from GHSA-g95c-2jgm-hqc6 · ethyca/fides@5aea738
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions 2.11.0
through 2.15.1
. Exploitation is limited to users with elevated privileges with the CONNECTOR_TEMPLATE_REGISTER
scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version 2.16.0
. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.
@@ -0,0 +1,34 @@ from typing import Optional from zipfile import ZipFile
MAX_FILE_SIZE = 16 * 1024 * 1024 # 16 MB CHUNK_SIZE = 1024
def verify_zip(zip_file: ZipFile, max_file_size: Optional[int] = None) -> None: “"” Function to safely verify the contents of zipped files. It prevents potential ‘zip bomb’ attacks by checking the file size of the files in the zip without fully extracting them. If the size of any file in the zip exceeds the specified max_file_size, it raises a ValueError. If the max_file_size is not provided, it uses a default value of 16 MB. :param zip_file: A ZipFile object to be verified. :param max_file_size: An optional integer specifying the maximum bytes allowed per file. If not provided, a default value is used. :raises ValueError: If a file in the zip file exceeds the maximum allowed size “"”
if max_file_size is None: max_file_size = MAX_FILE_SIZE
for file_info in zip_file.infolist(): file_size = 0
with zip_file.open(file_info) as file: # wraps the file read in an iterator that stops once no bytes # are returned or the max file size is reached for chunk in iter(lambda: file.read(CHUNK_SIZE), b""): file_size += len(chunk)
if file_size > max_file_size: raise ValueError(“File size exceeds maximum allowed size”)
Related news
### Impact The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. ### Patches The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container. ### References More information about this type of vulnerability can be found at the ...