CVE-2023-37480: 
Python vulnerability analysis and mitigation

The Fides webserver, an open-source privacy engineering platform for managing data privacy requests and regulations, contains a vulnerability to Denial of Service (DoS) attacks through malicious zip bomb file uploads. This vulnerability (CVE-2023-37480) affects Fides versions 2.11.0 through 2.15.1. The vulnerability was discovered and disclosed in July 2023 (GitHub Advisory).

The vulnerability exists in the connector template upload feature of the Fides webserver. Attackers with elevated privileges (specifically the CONNECTORTEMPLATEREGISTER scope) can upload malicious zip bomb files that, when processed by the server, cause resource exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 MEDIUM by NVD and 2.7 LOW by GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can result in service unavailability for all users of the Fides webserver through resource exhaustion. The impact is somewhat limited as exploitation requires elevated privileges, specifically affecting users with the CONNECTORTEMPLATEREGISTER scope, which includes root users and users with the owner role (GitHub Advisory).

The vulnerability has been patched in Fides version 2.16.0, and users are advised to upgrade to this version or later. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container (GitHub Advisory).