CVE-2023-37480

Name of the Vulnerable Software and Affected Versions Fides versions 2.11.0 through 2.15.1

Description Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. Exploitation is limited to users with elevated privileges with the CONNECTOR TEMPLATE REGISTER scope, which includes root users and users with the owner role.

Recommendations For Fides versions 2.11.0 through 2.15.1, upgrade to Fides version 2.16.0 or later to secure your system against this threat. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container. As a temporary workaround, consider restricting access to the connector template upload feature until a patch is applied. Avoid using the CONNECTOR TEMPLATE REGISTER scope in the affected API endpoint until the issue is resolved.