Daveqnet

Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. The built-in IP-based rate limiting in the Fides Webserver API is ineffective in environments utilizing CDNs, proxies, or load balancers. The system incorrectly applies rate limits based on infrastructure IPs instead of client IPs and stores counters in memory rather than a shared store. This allows attackers to bypass rate limits and potentially cause a denial of service. Deployments using external rate limiting solutions are not affected. Recommendations: Update to version 2.69.1 or later. Implement rate limiting externally at the infrastructure level using a WAF, API Gateway, or similar technology.

Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. The OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Recommendations: Update to version 2.69.1 or later.

**Name of the Vulnerable Software and Affected Versions** Fides versions 2.11.0 through 2.15.1 **Description** Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. Exploitation is limited to users with elevated privileges with the `CONNECTOR TEMPLATE REGISTER` scope, which includes root users and users with the owner role. **Recommendations** For Fides versions 2.11.0 through 2.15.1, upgrade to Fides version 2.16.0 or later to secure your system against this threat. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container. As a temporary workaround, consider restricting access to the connector template upload feature until a patch is applied. Avoid using the `CONNECTOR TEMPLATE REGISTER` scope in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fides versions 2.11.0 through 2.15.1 **Description** The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs, causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). Exploitation is limited to users with elevated privileges with the `CONNECTOR TEMPLATE REGISTER` scope, which includes root users and users with the owner role. **Recommendations** For Fides versions 2.11.0 through 2.15.1, upgrade to version 2.16.0 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the `datastore-connection/new` page until a patch is available. Avoid using the `CONNECTOR TEMPLATE REGISTER` scope for users without elevated privileges until the issue is resolved. Restrict the upload of zip files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.15.1 **Description** A path traversal vulnerability affects Fides, allowing remote attackers to access arbitrary files on the Fides webserver container's filesystem. If the Fides webserver API is deployed behind a reverse proxy, such as an AWS application load balancer, the vulnerability cannot be exploited, and the attack will be rejected with a 400 error. Secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this issue. **Recommendations** For Fides versions prior to 2.15.1, upgrade to version 2.15.1 to patch the vulnerability. As a temporary workaround, consider deploying the Fides webserver API behind a reverse proxy, such as an AWS application load balancer, to prevent exploitation. Additionally, consider supplying secrets to the container using environment variables rather than a `fides.toml` configuration file to minimize the risk of exposure.