Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r25m-cr6v-p9hq: ethyca-fides Webserver API Path Traversal vulnerability

Impact

A path traversal (directory traversal) vulnerability affects fides versions lower than 2.15.1, allowing remote attackers to access arbitrary files on the fides webserver container’s filesystem.

Patches

The vulnerability is patched in fides 2.15.1. Users should upgrade to this version.

Workarounds

If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca’s security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can’t be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error.

Additionally, any secrets supplied to the container using environment variables rather than a fides.toml configuration file are not affected by this vulnerability.

ghsa
#vulnerability#web#git#aws

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-36827

ethyca-fides Webserver API Path Traversal vulnerability

High severity GitHub Reviewed Published Jul 5, 2023 in ethyca/fides • Updated Jul 6, 2023

Package

pip ethyca-fides (pip)

Affected versions

< 2.15.1

Description

Impact

A path traversal (directory traversal) vulnerability affects fides versions lower than 2.15.1, allowing remote attackers to access arbitrary files on the fides webserver container’s filesystem.

Patches

The vulnerability is patched in fides 2.15.1. Users should upgrade to this version.

Workarounds

If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca’s security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can’t be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error.

Additionally, any secrets supplied to the container using environment variables rather than a fides.toml configuration file are not affected by this vulnerability.

References

  • GHSA-r25m-cr6v-p9hq
  • https://nvd.nist.gov/vuln/detail/CVE-2023-36827
  • ethyca/fides@f526d9f
  • https://github.com/ethyca/fides/releases/tag/2.15.1

Published to the GitHub Advisory Database

Jul 6, 2023

Related news

CVE-2023-36827: Path Traversal in Webserver API

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides `2.15.1`. If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.