Home > Vulnerability Database > CVE-2023-46124

Mend.io Vulnerability Database

CVE-2023-46124

Good to know:

Date: October 24, 2023

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version "2.22.1".

Language: Python

Severity Score

8.2

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46124

Url: https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4

Url: https://github.com/ethyca/fides

Url: https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee

Url: https://github.com/ethyca/fides/releases/tag/2.22.1

Url: https://www.mend.io/vulnerability-database/CVE-2023-46124

Severity Score

8.2

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version ethyca-fides - 2.22.1

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46124

Good to know:

Date: October 24, 2023

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?