Login Sign Up

CVE-2023-36827

7.5 HIGH
Path Traversal

📋 TL;DR

CVE-2023-36827 is a path traversal vulnerability in Fides privacy engineering platform that allows remote attackers to read arbitrary files on the webserver container's filesystem. This affects Fides versions below 2.15.1. Organizations using vulnerable Fides deployments with direct internet access to the API are at risk.

💻 Affected Systems

Products:
  • Fides
Versions: All versions below 2.15.1
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments where Fides webserver API is directly accessible. AWS ALB deployments block the attack. Secrets in environment variables are not exposed.

📦 What is this software?

Fides by Ethyca

View all CVEs affecting Fides →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, secrets, and system files, potentially leading to full system compromise and data privacy regulation violations.

🟠

Likely Case

Unauthorized access to configuration files containing database credentials, API keys, or other sensitive operational data.

🟢

If Mitigated

If deployed behind AWS ALB as recommended, the attack is blocked with 400 errors. Secrets stored as environment variables remain protected.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.15.1

Vendor Advisory: https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update Fides to version 2.15.1 or higher using package manager or container update. 3. Restart Fides services. 4. Verify functionality.

🔧 Temporary Workarounds

Deploy behind AWS Application Load Balancer

all

Configure AWS ALB as reverse proxy to block path traversal attempts

Use environment variables for secrets

all

Store sensitive configuration in environment variables instead of fides.toml files

🧯 If You Can't Patch

  • Deploy Fides behind AWS Application Load Balancer or similar WAF that blocks path traversal patterns
  • Restrict network access to Fides API endpoints using firewall rules or network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Fides version: if below 2.15.1 and API is directly accessible, system is vulnerable

Check Version:

Check container image tag or run: fides --version (if CLI available)

Verify Fix Applied:

Confirm Fides version is 2.15.1 or higher and test API endpoints for path traversal attempts

📡 Detection & Monitoring

Log Indicators:

  • HTTP 400 errors from AWS ALB
  • Unusual file access patterns in webserver logs
  • Requests containing '../' patterns

Network Indicators:

  • HTTP requests with path traversal sequences to Fides API endpoints

SIEM Query:

source="fides" AND (uri="*../*" OR status=400)

📊 Metadata

CVE ID: CVE-2023-36827
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: July 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36827, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)