CVE-2023-46124 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2023-46124?

CVE-2023-46124 has a CVSS score of 8.2 (HIGH). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Fides privacy engineering platform. Attackers can upload malicious YAML files in custom integrations to make arbitrary requests to internal systems and exfiltrate data. All Fides deployments using custom integrations are affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Fides privacy engineering platform. Attackers can upload malicious YAML files in custom integrations to make arbitrary requests to internal systems and exfiltrate data. All Fides deployments using custom integrations are affected.

💻 Affected Systems

Products:

Fides

Versions: All versions before 2.22.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires ability to upload custom integrations via ZIP files containing YAML configuration.

📦 What is this software?

Fides by Ethyca

View all CVEs affecting Fides →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, data exfiltration from internal systems, and potential lateral movement to other services.

🟠

Likely Case

Unauthorized access to internal APIs, metadata harvesting from cloud metadata services, and data exfiltration from accessible internal endpoints.

🟢

If Mitigated

Limited to unsuccessful SSRF attempts with proper input validation and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to upload custom integrations. SSRF payloads in YAML files are straightforward to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.22.1

Vendor Advisory: https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update Fides to version 2.22.1 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the Fides application. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable custom integration uploads

all

Temporarily disable the ability to upload custom integrations via ZIP files.

Configure Fides to disable custom integration uploads in application settings

Network segmentation

all

Restrict Fides container/VM network access to only required external endpoints.

Configure firewall rules to block outbound connections from Fides to internal networks except required services

🧯 If You Can't Patch

Implement strict input validation for YAML files to block SSRF payloads
Deploy network controls to restrict Fides outbound connections to trusted external endpoints only

🔍 How to Verify

Check if Vulnerable:

Check if Fides version is below 2.22.1 and custom integration uploads are enabled.

Check Version:

Check Fides web interface or API for version information, or inspect container image tag if using Docker.

Verify Fix Applied:

Confirm Fides version is 2.22.1 or later and test that SSRF attempts via YAML files are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Fides to internal IPs
Multiple failed integration upload attempts with YAML files
Requests to localhost or internal network ranges from Fides

Network Indicators:

Outbound connections from Fides to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
HTTP requests to cloud metadata endpoints (169.254.169.254)

SIEM Query:

source="fides" AND (dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) OR dest_ip=127.0.0.1 OR dest_ip=169.254.169.254)

📊 Metadata

CVE ID: CVE-2023-46124

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-918

Published: October 25, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee Patch
https://github.com/ethyca/fides/releases/tag/2.22.1 Release Notes
https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4 Third Party Advisory
https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee Patch
https://github.com/ethyca/fides/releases/tag/2.22.1 Release Notes
https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46124, you might also want to check these: