Safety vulnerability ID: 63350
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Ethyca-fides 2.15.1 fixes a high severity path traversal vulnerability (CVE-2023-36827) present in versions prior to 2.15.1. It allowed remote attackers to access arbitrary files on the Fides webserver container's filesystem. If Fides is deployed behind a reverse proxy as recommended in Ethyca's security best practices, and the reverse proxy is an AWS application load balancer, the vulnerability cannot be exploited. Also, any secrets supplied to the container using environment variables rather than a fides.toml configuration file are unaffected by this vulnerability.
https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq
Latest version: 2.51.1
Open-source ecosystem for data privacy as code.
What's Changed
* Set `sslmode` to `prefer` if connecting to Redshift via ssh in https://github.com/ethyca/fides/pull/3685
* Privacy center action cards are now able to expand to accommodate longer text by RobertKeyser in https://github.com/ethyca/fides/pull/3669
* Handle names with a double underscore when processing access and erasure requests in https://github.com/ethyca/fides/pull/3688
* Allow Privacy Notices banner and modal to scroll as needed by RobertKeyser in https://github.com/ethyca/fides/pull/3713
* Resolve path traversal vulnerability in webserver API in [CVE-2023-36827](https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq)
**Full Changelog**: https://github.com/ethyca/fides/compare/2.15.0...2.15.1
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application