CVE-2023-36827

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.15.1

Description A path traversal vulnerability affects Fides, allowing remote attackers to access arbitrary files on the Fides webserver container's filesystem. If the Fides webserver API is deployed behind a reverse proxy, such as an AWS application load balancer, the vulnerability cannot be exploited, and the attack will be rejected with a 400 error. Secrets supplied to the container using environment variables rather than a fides.toml configuration file are not affected by this issue.

Recommendations For Fides versions prior to 2.15.1, upgrade to version 2.15.1 to patch the vulnerability. As a temporary workaround, consider deploying the Fides webserver API behind a reverse proxy, such as an AWS application load balancer, to prevent exploitation. Additionally, consider supplying secrets to the container using environment variables rather than a fides.toml configuration file to minimize the risk of exposure.