CVE-2023-37480 — LOW (2.7) — White Hats Nepal

Q: How severe is CVE-2023-37480?

CVE-2023-37480 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-37480?

Check the references section above for vendor advisories and patch information. Affected products include: Ethyca Fides.

Vulnerability Description

Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.

CVSS Score

2.7

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Ethyca	Fides	>= 2.11.0, < 2.16.0

Related Weaknesses (CWE)

CWE-400

References

https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32Patch
https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6Third Party Advisory
https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32Patch
https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6Third Party Advisory

FAQ

What is CVE-2023-37480?

CVE-2023-37480 is a vulnerability with a CVSS score of 2.7 (LOW). Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attacker...

How severe is CVE-2023-37480?

CVE-2023-37480 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-37480?

Check the references section above for vendor advisories and patch information. Affected products include: Ethyca Fides.