Server-Side Request Forgery Vulnerability in Custom Integration Upload

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

服务端请求伪造(SSRF)

Fides 代码问题漏洞

Fides是一个开源隐私工程平台，用于管理运行时环境中数据隐私请求的实现以及代码中隐私法规的执行。 Fides 2.22.1之前版本存在安全漏洞，该漏洞源于允许将自定义集成作为ZIP文件上传，其中包含YAML格式的配置和数据集定义。

N/A

N/A