2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37481

GHSA ID

GHSA-3rw2-wfc8-wmj5

EPSS Score

0.2468%

CWE

CWE-400

Published

7/18/2023

Updated

11/9/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37481

CVE-2023-37481: Fides Webserver Vulnerable to SVG Bomb File Uploads

Impact

The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (datastore-connection/new).

This vulnerability affects Fides versions 2.11.0 through 2.15.1. Exploitation is limited to users with elevated privileges with the CONNECTOR_TEMPLATE_REGISTER scope, which includes root users and users with the owner role.

Patches

The vulnerability has been patched in Fides version 2.16.0. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There is no known workaround to remediate this vulnerability without upgrading.

(GitHub Advisory)

2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37481

GHSA ID

GHSA-3rw2-wfc8-wmj5

EPSS Score

0.2468%

CWE

CWE-400

Published

7/18/2023

Updated

11/9/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ethyca-fides	pip	>= 2.11.0, < 2.16.0	2.16.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from processing user-uploaded SVG files in the connector registration flow without proper XML validation. The pre-patch version of 'save_template' in connector_registry_service.py handled SVG content (line 214-220) without calling verify_svg, allowing malicious XML entities and xlink references. The patch added verify_svg validation precisely at this code location, confirming this was the vulnerable entry point. The CWE-400 mapping and commit diff showing added SVG validation at this code location provide high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *i**s w**s*rv*r is vuln*r**l* to * typ* o* **ni*l o* S*rvi** (*oS) *tt**k. *tt**k*rs **n *xploit t*is vuln*r**ility to uplo** zip *il*s *ont*inin* m*li*ious SV* *om*s (simil*r to * *illion l*u**s *tt**k), **usin* r*sour** *x**ustion in

Reasoning

T** vuln*r**ility st*mm** *rom pro**ssin* us*r-uplo**** SV* *il*s in t** *onn**tor r**istr*tion *low wit*out prop*r XML v*li**tion. T** pr*-p*t** v*rsion o* 's*v*_t*mpl*t*' in *onn**tor_r**istry_s*rvi**.py **n*l** SV* *ont*nt (lin* ***-***) wit*out *

2.7

Basic Information

Concerned about an active attack path?

CVE-2023-37481: Fides Webserver Vulnerable to SVG Bomb File Uploads

Impact

Patches

Workarounds

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI