CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
32.0%
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the ‘new connector’ page (datastore-connection/new
). This vulnerability affects Fides versions 2.11.0
through 2.15.1
. Exploitation is limited to users with elevated privileges with the CONNECTOR_TEMPLATE_REGISTER
scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version 2.16.0
. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.
[
{
"vendor": "ethyca",
"product": "fides",
"versions": [
{
"version": ">= 2.11.0, < 2.16.0",
"status": "affected"
}
]
}
]