CVE-2023-37481: 
Python vulnerability analysis and mitigation

CVE-2023-37481 affects the Fides webserver, an open-source privacy engineering platform for managing data privacy requests and regulations. The vulnerability was discovered in versions 2.11.0 through 2.15.1 and allows attackers to perform a Denial of Service (DoS) attack through malicious SVG bomb uploads. The issue was disclosed on July 18, 2023, and affects users with elevated privileges having the CONNECTORTEMPLATEREGISTER scope (GitHub Advisory, NVD).

The vulnerability allows attackers to upload zip files containing malicious SVG bombs, similar to a billion laughs attack, which can cause resource exhaustion in Admin UI browser tabs. The attack specifically targets the 'new connector' page (datastore-connection/new). The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) by NVD with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, while GitHub assigned it a score of 2.7 (LOW) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (NVD).

When exploited, this vulnerability results in a persistent denial of service of the 'new connector' page, affecting the Admin UI browser tabs through resource exhaustion. The impact is limited to users with elevated privileges, specifically those with the CONNECTORTEMPLATEREGISTER scope, including root users and users with the owner role (GitHub Advisory).

The vulnerability has been patched in Fides version 2.16.0. Users are strongly advised to upgrade to this version or later to secure their systems. There are no known workarounds to remediate this vulnerability without upgrading (GitHub Advisory).