SCA: security update for ethyca-fides (GHSA-3rw2-wfc8-wmj5)

medium Tenable Cloud Security Plugin ID 409689

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Fides is an open-source privacy engineering platform for managing data privacy requests and privacy
regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can
exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs
attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service
of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions
`2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the
`CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The
vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or
later to secure their systems against this threat. There is no known workaround to remediate this
vulnerability without upgrading. (CVE-2023-37481)

See Also

https://github.com/advisories/GHSA-3rw2-wfc8-wmj5

Plugin Details

Severity: Medium

ID: 409689

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:N/A:C

CVSS Score Source: CVE-2023-37481

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/18/2023

Vulnerability Publication Date: 7/18/2023

Reference Information

CVE: CVE-2023-37481

cwe: CWE-400