CVE-2023-36827 : Fides is an open-source privacy engineering platform for managing the fulfillmen

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides `2.15.1`. If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.

Published 2023-07-05 22:15:10

Updated 2023-07-12 15:56:37

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2023-36827

Ethyca » Fides
Versions before (<) 2.15.1
cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-36827

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-36827

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-36827

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-36827

https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f

Merge pull request from GHSA-r25m-cr6v-p9hq · ethyca/fides@f526d9f · GitHub
Patch
https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq

Path Traversal in Webserver API · Advisory · ethyca/fides · GitHub
Mitigation;Third Party Advisory
https://github.com/ethyca/fides/releases/tag/2.15.1

Release v2.15.1 · ethyca/fides · GitHub
Release Notes

Jump to

Vulnerability Details : CVE-2023-36827

Products affected by CVE-2023-36827

Exploit prediction scoring system (EPSS) score for CVE-2023-36827

CVSS scores for CVE-2023-36827

CWE ids for CVE-2023-36827

References for CVE-2023-36827