CVE-2023-37481

Name of the Vulnerable Software and Affected Versions Fides versions 2.11.0 through 2.15.1

Description The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs, causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (datastore-connection/new). Exploitation is limited to users with elevated privileges with the CONNECTOR TEMPLATE REGISTER scope, which includes root users and users with the owner role.

Recommendations For Fides versions 2.11.0 through 2.15.1, upgrade to version 2.16.0 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the datastore-connection/new page until a patch is available. Avoid using the CONNECTOR TEMPLATE REGISTER scope for users without elevated privileges until the issue is resolved. Restrict the upload of zip files to minimize the risk of exploitation.