CVE-2023-46124

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.22.1

Description The Fides web application is vulnerable to a Server-Side Request Forgery (SSRF) attack. This occurs when a malicious user uploads a specially crafted YAML dataset and config file as a ZIP file, allowing them to perform arbitrary requests to internal systems and exfiltrate data outside the environment. The application fails to properly validate attempts to connect to internal resources, including localhost. Exploitation of this issue is limited to API clients with the CONNECTOR TEMPLATE REGISTER authorization scope, which is typically restricted to highly privileged users, such as root users and users with the owner role.

Recommendations For versions prior to 2.22.1, upgrade to version 2.22.1 or later to secure your system against this threat. As a temporary workaround, consider restricting access to the CONNECTOR TEMPLATE REGISTER authorization scope to minimize the risk of exploitation.