CVE-2023-36827

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container&amp;#39;s filesystem. The vulnerability is patched in fides `2.15.1`.<br /> <br /> If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca&amp;#39;s security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can&amp;#39;t be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.<br />