Vulnerabilites related to ethyca - fides
CVE-2024-38537 (GCVE-0-2024-38537)
Vulnerability from cvelistv5
Published
2024-07-02 19:50
Modified
2024-08-02 04:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Summary
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.
The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/pull/5026 | x_refsource_MISC | |
| https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 | x_refsource_MISC | |
| https://fetch.spec.whatwg.org | x_refsource_MISC | |
| https://sansec.io/research/polyfill-supply-chain-attack | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T20:11:37.728266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:11:44.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:24.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"name": "https://github.com/ethyca/fides/pull/5026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"name": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"name": "https://fetch.spec.whatwg.org",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.\n\nThe vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T19:50:10.275Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"name": "https://github.com/ethyca/fides/pull/5026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"name": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"name": "https://fetch.spec.whatwg.org",
"tags": [
"x_refsource_MISC"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"source": {
"advisory": "GHSA-cvw4-c69g-7v7m",
"discovery": "UNKNOWN"
},
"title": "Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38537",
"datePublished": "2024-07-02T19:50:10.275Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-02T04:12:24.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31223 (GCVE-0-2024-31223)
Vulnerability from cvelistv5
Published
2024-07-03 17:34
Modified
2024-08-02 01:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Summary
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:2.19.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.39.2rc0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T18:20:08.631813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T18:20:30.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"name": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.39.2rc0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T17:34:48.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"name": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
}
],
"source": {
"advisory": "GHSA-53q7-4874-24qg",
"discovery": "UNKNOWN"
},
"title": "Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31223",
"datePublished": "2024-07-03T17:34:48.508Z",
"dateReserved": "2024-03-29T14:16:31.902Z",
"dateUpdated": "2024-08-02T01:46:04.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35189 (GCVE-0-2024-35189)
Vulnerability from cvelistv5
Published
2024-05-30 19:47
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c | x_refsource_CONFIRM | |
| https://cloud.google.com/iam/docs/key-rotation | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.37.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T20:38:12.376244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T20:38:18.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"name": "https://cloud.google.com/iam/docs/key-rotation",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.37.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides\u0027s developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `\"**********\"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T19:47:43.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"name": "https://cloud.google.com/iam/docs/key-rotation",
"tags": [
"x_refsource_MISC"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
}
],
"source": {
"advisory": "GHSA-rcvg-jj3g-rj7c",
"discovery": "UNKNOWN"
},
"title": "Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35189",
"datePublished": "2024-05-30T19:47:43.080Z",
"dateReserved": "2024-05-10T14:24:24.341Z",
"dateUpdated": "2024-08-02T03:07:46.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47114 (GCVE-0-2023-47114)
Vulnerability from cvelistv5
Published
2023-11-08 21:50
Modified
2024-09-04 14:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject's browser accessing a HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. This vulnerability has been patched in version 2.23.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1 | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.23.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.796Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38"
},
{
"name": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.23.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.23.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:01:04.916315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T14:04:23.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.15.1, \u003c 2.23.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject\u0027s personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject\u0027s browser accessing a HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. This vulnerability has been patched in version 2.23.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-08T21:50:45.465Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38"
},
{
"name": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.23.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.23.3"
}
],
"source": {
"advisory": "GHSA-3vpf-mcj7-5h38",
"discovery": "UNKNOWN"
},
"title": "Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47114",
"datePublished": "2023-11-08T21:50:45.465Z",
"dateReserved": "2023-10-30T19:57:51.674Z",
"dateUpdated": "2024-09-04T14:04:23.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45053 (GCVE-0-2024-45053)
Vulnerability from cvelistv5
Published
2024-09-04 16:04
Modified
2024-09-04 18:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Summary
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T18:01:28.427738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T18:02:37.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:04:03.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
},
{
"name": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
}
],
"source": {
"advisory": "GHSA-c34r-238x-f7qx",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45053",
"datePublished": "2024-09-04T16:04:03.741Z",
"dateReserved": "2024-08-21T17:53:51.332Z",
"dateUpdated": "2024-09-04T18:02:37.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48224 (GCVE-0-2023-48224)
Vulnerability from cvelistv5
Published
2023-11-15 20:53
Modified
2024-08-29 15:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. It was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process. There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences. The vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6 | x_refsource_MISC | |
| https://peps.python.org/pep-0506/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358"
},
{
"name": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6"
},
{
"name": "https://peps.python.org/pep-0506/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://peps.python.org/pep-0506/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48224",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T15:01:17.448133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:02:52.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.24.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. It was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process. There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user\u0027s privacy preferences. The vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-15T20:53:19.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358"
},
{
"name": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6"
},
{
"name": "https://peps.python.org/pep-0506/",
"tags": [
"x_refsource_MISC"
],
"url": "https://peps.python.org/pep-0506/"
}
],
"source": {
"advisory": "GHSA-82vr-5769-6358",
"discovery": "UNKNOWN"
},
"title": "Cryptographically Weak Generation of One-Time Codes for Identity Verification in ethyca-fides"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48224",
"datePublished": "2023-11-15T20:53:19.590Z",
"dateReserved": "2023-11-13T13:25:18.480Z",
"dateUpdated": "2024-08-29T15:02:52.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57816 (GCVE-0-2025-57816)
Vulnerability from cvelistv5
Published
2025-09-08 21:14
Modified
2025-09-09 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-799 - Improper Control of Interaction Frequency
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.69.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T14:19:06.539355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T14:19:27.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799: Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:20:43.577Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
},
{
"name": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-fq34-xw6c-fphf",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver API Rate Limiting Vulnerability in Proxied Environments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57816",
"datePublished": "2025-09-08T21:14:06.853Z",
"dateReserved": "2025-08-20T14:30:35.011Z",
"dateUpdated": "2025-09-09T14:19:27.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45052 (GCVE-0-2024-45052)
Vulnerability from cvelistv5
Published
2024-09-04 15:43
Modified
2024-09-04 16:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-208 - Observable Timing Discrepancy
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:19:06.969242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:19:47.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:43:52.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
},
{
"name": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4"
}
],
"source": {
"advisory": "GHSA-2h46-8gf5-fmxv",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45052",
"datePublished": "2024-09-04T15:43:52.056Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-09-04T16:19:47.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57766 (GCVE-0-2025-57766)
Vulnerability from cvelistv5
Published
2025-09-08 21:12
Modified
2025-09-09 13:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.69.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:44:58.979900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:45:07.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:21:08.547Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87"
},
{
"name": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-rpw8-82v9-3q87",
"discovery": "UNKNOWN"
},
"title": "Fides\u0027s Admin UI User Password Change Does Not Invalidate Current Session"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57766",
"datePublished": "2025-09-08T21:12:07.626Z",
"dateReserved": "2025-08-19T15:16:22.917Z",
"dateUpdated": "2025-09-09T13:45:07.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46126 (GCVE-0-2023-46126)
Vulnerability from cvelistv5
Published
2023-10-24 21:59
Modified
2024-09-17 14:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version `2.22.1`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506 | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.22.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83"
},
{
"name": "https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T13:55:20.181022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:15:58.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version `2.22.1`. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T21:59:30.055Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83"
},
{
"name": "https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
}
],
"source": {
"advisory": "GHSA-fgjj-5jmr-gh83",
"discovery": "UNKNOWN"
},
"title": "Fides JavaScript Injection Vulnerability in Privacy Center URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46126",
"datePublished": "2023-10-24T21:59:30.055Z",
"dateReserved": "2023-10-16T17:51:35.572Z",
"dateUpdated": "2024-09-17T14:15:58.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34715 (GCVE-0-2024-34715)
Vulnerability from cvelistv5
Published
2024-05-29 16:35
Modified
2024-08-02 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c | x_refsource_MISC | |
| https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords | x_refsource_MISC | |
| https://github.com/sqlalchemy/sqlalchemy/discussions/6615 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:09:16.775448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:42:17.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.37.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T16:35:46.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
}
],
"source": {
"advisory": "GHSA-8cm5-jfj2-26q7",
"discovery": "UNKNOWN"
},
"title": "Partial Password Exposure Vulnerability in Fides Webserver Logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34715",
"datePublished": "2024-05-29T16:35:46.375Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46124 (GCVE-0-2023-46124)
Vulnerability from cvelistv5
Published
2023-10-24 22:51
Modified
2024-09-11 13:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.22.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4"
},
{
"name": "https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T13:10:51.757699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T13:21:00.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T22:51:55.128Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4"
},
{
"name": "https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
}
],
"source": {
"advisory": "GHSA-jq3w-9mgf-43m4",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery Vulnerability in Custom Integration Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46124",
"datePublished": "2023-10-24T22:51:55.128Z",
"dateReserved": "2023-10-16T17:51:35.572Z",
"dateUpdated": "2024-09-11T13:21:00.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46125 (GCVE-0-2023-46125)
Vulnerability from cvelistv5
Published
2023-10-24 22:42
Modified
2024-09-11 13:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06 | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.22.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"
},
{
"name": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.22.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T13:11:03.119147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T13:23:33.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers\u2019 addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T22:42:05.651Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"
},
{
"name": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.22.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
}
],
"source": {
"advisory": "GHSA-rjxg-rpg3-9r89",
"discovery": "UNKNOWN"
},
"title": "Fides Information Disclosure Vulnerability in Config API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46125",
"datePublished": "2023-10-24T22:42:05.651Z",
"dateReserved": "2023-10-16T17:51:35.572Z",
"dateUpdated": "2024-09-11T13:23:33.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57815 (GCVE-0-2025-57815)
Vulnerability from cvelistv5
Published
2025-09-08 21:11
Modified
2025-09-09 13:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.69.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:43:58.228952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:44:06.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:20:19.352Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw"
},
{
"name": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-7q62-r88r-j5gw",
"discovery": "UNKNOWN"
},
"title": "Fides Lacks Brute-Force Protections on Authentication Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57815",
"datePublished": "2025-09-08T21:11:53.369Z",
"dateReserved": "2025-08-20T14:30:35.010Z",
"dateUpdated": "2025-09-09T13:44:06.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52008 (GCVE-0-2024-52008)
Vulnerability from cvelistv5
Published
2024-11-26 18:52
Modified
2024-11-26 19:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Summary
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:16:30.665227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:16:54.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user\u0027s email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user\u0027s account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T18:52:40.102Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r"
}
],
"source": {
"advisory": "GHSA-v7vm-rhmg-8j2r",
"discovery": "UNKNOWN"
},
"title": "Password Policy Bypass Vulnerability in Fides Webserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52008",
"datePublished": "2024-11-26T18:52:40.102Z",
"dateReserved": "2024-11-04T17:46:16.779Z",
"dateUpdated": "2024-11-26T19:16:54.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37481 (GCVE-0-2023-37481)
Vulnerability from cvelistv5
Published
2023-07-18 18:19
Modified
2024-10-18 17:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5"
},
{
"name": "https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T16:07:02.230803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T17:24:17.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the \u0027new connector\u0027 page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T18:19:15.946Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5"
},
{
"name": "https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d"
}
],
"source": {
"advisory": "GHSA-3rw2-wfc8-wmj5",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver Vulnerable to SVG Bomb File Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37481",
"datePublished": "2023-07-18T18:19:15.946Z",
"dateReserved": "2023-07-06T13:01:36.999Z",
"dateUpdated": "2024-10-18T17:24:17.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37480 (GCVE-0-2023-37480)
Vulnerability from cvelistv5
Published
2023-07-18 18:19
Modified
2024-10-18 17:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6 | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:30.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6"
},
{
"name": "https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T16:06:48.624974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T17:22:39.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-18T18:19:17.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6"
},
{
"name": "https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32"
}
],
"source": {
"advisory": "GHSA-g95c-2jgm-hqc6",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver Vulnerable to Zip Bomb File Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37480",
"datePublished": "2023-07-18T18:19:17.956Z",
"dateReserved": "2023-07-06T13:01:36.999Z",
"dateUpdated": "2024-10-18T17:22:39.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41319 (GCVE-0-2023-41319)
Vulnerability from cvelistv5
Published
2023-09-06 17:54
Modified
2024-09-26 19:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:05.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h"
},
{
"name": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41319",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T19:31:04.115318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T19:31:57.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-06T17:54:30.889Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h"
},
{
"name": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a"
}
],
"source": {
"advisory": "GHSA-p6p2-qq95-vq5h",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in Custom Integration Upload in Fides"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41319",
"datePublished": "2023-09-06T17:54:30.889Z",
"dateReserved": "2023-08-28T16:56:43.365Z",
"dateUpdated": "2024-09-26T19:31:57.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36827 (GCVE-0-2023-36827)
Vulnerability from cvelistv5
Published
2023-07-05 21:22
Modified
2024-10-24 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides `2.15.1`.
If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.15.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq"
},
{
"name": "https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.15.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.15.1"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.15.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T17:58:37.698723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T18:09:21.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container\u0027s filesystem. The vulnerability is patched in fides `2.15.1`.\n\nIf the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca\u0027s security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can\u0027t be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T21:22:30.715Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq"
},
{
"name": "https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.15.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.15.1"
}
],
"source": {
"advisory": "GHSA-r25m-cr6v-p9hq",
"discovery": "UNKNOWN"
},
"title": "Fides vulnerable to Path Traversal in Webserver API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36827",
"datePublished": "2023-07-05T21:22:30.715Z",
"dateReserved": "2023-06-27T15:43:18.388Z",
"dateUpdated": "2024-10-24T18:09:21.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57817 (GCVE-0-2025-57817)
Vulnerability from cvelistv5
Published
2025-09-08 21:17
Modified
2025-09-09 13:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr | x_refsource_CONFIRM | |
| https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452 | x_refsource_MISC | |
| https://github.com/ethyca/fides/releases/tag/2.69.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:38:53.295848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:39:00.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:19:39.349Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr"
},
{
"name": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-hjfh-p8f5-24wr",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57817",
"datePublished": "2025-09-08T21:17:09.105Z",
"dateReserved": "2025-08-20T14:30:35.011Z",
"dateUpdated": "2025-09-09T13:39:00.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-10-25 18:17
Modified
2024-11-21 08:27
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA76F207-3012-48FE-AAB5-9B061A5AE996",
"versionEndExcluding": "2.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers\u2019 addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. "
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. La API del servidor web de Fides permite a los usuarios recuperar su configuraci\u00f3n utilizando el endpoint `GET api/v1/config`. Los datos de configuraci\u00f3n se filtran para suprimir la informaci\u00f3n de configuraci\u00f3n m\u00e1s confidencial antes de devolverla al usuario, pero incluso los datos filtrados contienen informaci\u00f3n sobre los componentes internos y la infraestructura de backend, como diversas configuraciones, direcciones y puertos de servidores y nombre de usuario de la base de datos. Esta informaci\u00f3n es \u00fatil tanto para usuarios administrativos como para atacantes, por lo que no debe revelarse a usuarios con pocos privilegios. Esta vulnerabilidad permite a los usuarios de la interfaz de usuario de administraci\u00f3n con roles inferiores al rol de propietario, por ejemplo, el rol de espectador, recuperar la informaci\u00f3n de configuraci\u00f3n mediante la API. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.22.1` de Fides."
}
],
"id": "CVE-2023-46125",
"lastModified": "2024-11-21T08:27:55.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-25T18:17:36.470",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-08 22:15
Modified
2025-09-10 18:43
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users."
}
],
"id": "CVE-2025-57815",
"lastModified": "2025-09-10T18:43:41.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.520",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-08 22:15
Modified
2025-09-10 18:42
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology."
}
],
"id": "CVE-2025-57816",
"lastModified": "2025-09-10T18:42:17.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.703",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-799"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-05 22:15
Modified
2024-11-21 08:10
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container's filesystem. The vulnerability is patched in fides `2.15.1`.
If the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca's security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can't be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF59FB40-ECE6-4B0C-85F3-030839164E9F",
"versionEndExcluding": "2.15.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides webserver container\u0027s filesystem. The vulnerability is patched in fides `2.15.1`.\n\nIf the Fides webserver API is not directly accessible to attackers and is instead deployed behind a reverse proxy as recommended in Ethyca\u0027s security best practice documentation, and the reverse proxy is an AWS application load balancer, the vulnerability can\u0027t be exploited by these attackers. An AWS application load balancer will reject this attack with a 400 error. Additionally, any secrets supplied to the container using environment variables rather than a `fides.toml` configuration file are not affected by this vulnerability.\n"
}
],
"id": "CVE-2023-36827",
"lastModified": "2024-11-21T08:10:41.147",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-05T22:15:10.033",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.15.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/f526d9ffb176006d701493c9d0eff6b4884e811f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.15.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-r25m-cr6v-p9hq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-02 20:15
Modified
2025-09-02 20:27
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.
The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "960B2BA6-88EF-4A6D-A506-5F699C28EFA0",
"versionEndExcluding": "2.39.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.\n\nThe vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. `fides.js`, un script del lado del cliente utilizado para interactuar con las funciones de gesti\u00f3n de consentimiento de Fides, utiliz\u00f3 el dominio `polyfill.io` en un caso l\u00edmite muy limitado, cuando detect\u00f3 un navegador heredado como IE11 que no admit\u00eda el est\u00e1ndar de recuperaci\u00f3n. Por lo tanto, era posible que los usuarios de navegadores heredados anteriores a 2017 que navegaban a una p\u00e1gina que serv\u00eda `fides.js` descargaran y ejecutaran scripts maliciosos desde el dominio `polyfill.io` cuando el dominio estaba comprometido y serv\u00eda malware. No se ha identificado ninguna explotaci\u00f3n de `fides.js` a trav\u00e9s de `polyfill.io` al momento de la publicaci\u00f3n. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.39.1` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. El jueves 27 de junio de 2024, Cloudflare y Namecheap intervinieron a nivel de dominio para garantizar que `polyfill.io` y sus subdominios no pudieran resolver el servicio comprometido, haciendo que esta vulnerabilidad no se pudiera explotar. Antes de la intervenci\u00f3n a nivel de dominio, no hab\u00eda workarounds en el lado del servidor y los impactos de esta vulnerabilidad en la confidencialidad, integridad y disponibilidad eran altos. Los clientes pod\u00edan asegurarse de no verse afectados utilizando un navegador moderno que admitiera el est\u00e1ndar de recuperaci\u00f3n."
}
],
"id": "CVE-2024-38537",
"lastModified": "2025-09-02T20:27:17.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0.0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 0.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-02T20:15:05.860",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Issue Tracking"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Issue Tracking"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-829"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-25 18:17
Modified
2024-11-21 08:27
Severity ?
3.9 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version `2.22.1`.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA76F207-3012-48FE-AAB5-9B061A5AE996",
"versionEndExcluding": "2.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the integrated website. Exploitation is limited to Admin UI users with the contributor role or higher. The vulnerability has been patched in Fides version `2.22.1`. "
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en entornos de ejecuci\u00f3n, ayudando a hacer cumplir las regulaciones de privacidad en el c\u00f3digo. La aplicaci\u00f3n web de Fides permite a los usuarios editar los avisos de consentimiento y privacidad, como los banners de cookies. La vulnerabilidad permite manipular un payload en la URL de la pol\u00edtica de privacidad que activa la ejecuci\u00f3n de JavaScript cuando el aviso de privacidad es entregado por un sitio web integrado. El alcance del dominio del JavaScript ejecutado es el del sitio web integrado. La explotaci\u00f3n est\u00e1 limitada a los usuarios de la interfaz de usuario de administrador con el rol de colaborador o superior. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.22.1` de Fides."
}
],
"id": "CVE-2023-46126",
"lastModified": "2024-11-21T08:27:56.063",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-25T18:17:36.537",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-15 21:15
Modified
2024-11-21 08:31
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. It was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process. There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences. The vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12AD55DD-FCA0-4799-ACFF-CD03169882F3",
"versionEndExcluding": "2.24.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. It was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process. There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user\u0027s privacy preferences. The vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. El Privacy Center de Fides permite a los usuarios interesados enviar solicitudes de privacidad y consentimiento a los usuarios responsables del tratamiento de datos de la aplicaci\u00f3n web de Fides. Las solicitudes de privacidad permiten a los interesados presentar una solicitud para acceder a todos los datos personales en poder del controlador de datos, o eliminarlos o borrarlos. La solicitud de consentimiento permite a los usuarios interesados modificar sus preferencias de privacidad sobre c\u00f3mo el controlador de datos utiliza sus datos personales, p. Venta de datos y consentimiento para compartir y optar por no participar. Si `subject_identity_verification_required` en la secci\u00f3n `[ejecuci\u00f3n]` de `fides.toml` o la var env `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` est\u00e1 configurada en `True` en el backend del servidor web de Fides, los interesados reciben un c\u00f3digo de un solo uso a su direcci\u00f3n de correo electr\u00f3nico o el n\u00famero de tel\u00e9fono, seg\u00fan la configuraci\u00f3n de mensajer\u00eda, y el c\u00f3digo de un solo uso deben ser ingresados en Privacy Center UI, por el interesado antes de enviar la solicitud de privacidad o consentimiento. Se identific\u00f3 que los valores de c\u00f3digo de un solo uso para estas solicitudes fueron generadas por el m\u00f3dulo \"aleatorio\" de Python, un generador de n\u00fameros pseudoaleatorios (PNRG) criptogr\u00e1ficamente d\u00e9bil. Si un atacante genera varios cientos de c\u00f3digos \u00fanicos consecutivos, esta vulnerabilidad le permite predecir todos los valores futuros de c\u00f3digos \u00fanicos durante la vida \u00fatil del proceso backend de Python. No hay ning\u00fan impacto en la seguridad en las solicitudes de acceso a datos ya que el paquete de descarga de datos personales no se comparte en el Privacy Center en s\u00ed. Sin embargo, esta vulnerabilidad permite a un atacante (i) enviar una solicitud de borrado de datos verificada, lo que resulta en la eliminaci\u00f3n de datos para el usuario objetivo y (ii) enviar una solicitud de consentimiento verificada, modificando las preferencias de privacidad de un usuario. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.24.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-48224",
"lastModified": "2024-11-21T08:31:14.697",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-15T21:15:08.100",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://peps.python.org/pep-0506/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://peps.python.org/pep-0506/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-03 18:15
Modified
2025-09-04 14:07
Severity ?
Summary
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BE90C1-F84C-4880-B0CF-DBF06116161C",
"versionEndExcluding": "2.39.2",
"versionStartIncluding": "2.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto y `SERVER_SIDE_FIDES_API_URL` es una variable de entorno de configuraci\u00f3n del lado del servidor utilizada por el Centro de Privacidad de Fides para comunicarse con el servidor web de Fides. El valor de esta variable es una URL que normalmente incluye una direcci\u00f3n IP privada, un nombre de dominio privado y/o un puerto. Una vulnerabilidad presente a partir de la versi\u00f3n 2.19.0 y antes de la versi\u00f3n 2.39.2rc0 permite que un atacante no autenticado realice una solicitud HTTP GET desde el Centro de privacidad que revela el valor de esta URL del lado del servidor. Esto podr\u00eda dar lugar a la divulgaci\u00f3n de la configuraci\u00f3n del lado del servidor, proporcionando al atacante informaci\u00f3n sobre los puertos del lado del servidor, direcciones IP privadas y/o nombres de dominio privados. La vulnerabilidad ha sido parcheada en la versi\u00f3n 2.39.2rc0 de Fides. No hay workarounds disponibles."
}
],
"id": "CVE-2024-31223",
"lastModified": "2025-09-04T14:07:17.867",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-07-03T18:15:05.097",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-497"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-08 22:15
Modified
2025-09-10 18:41
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"id": "CVE-2025-57817",
"lastModified": "2025-09-10T18:41:28.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-26 19:15
Modified
2025-09-23 13:43
Severity ?
Summary
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01D72BF5-8DDF-4D51-815B-091D738F7261",
"versionEndExcluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user\u0027s email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user\u0027s account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. El endpoint de la API de aceptaci\u00f3n de invitaciones de usuarios carece de la aplicaci\u00f3n de pol\u00edticas de contrase\u00f1as del lado del servidor, lo que permite a los usuarios establecer contrase\u00f1as arbitrariamente d\u00e9biles al eludir la validaci\u00f3n del lado del cliente. Si bien la interfaz de usuario aplica requisitos de complejidad de contrase\u00f1as, las llamadas API directas pueden eludir estas comprobaciones, lo que permite la creaci\u00f3n de cuentas con contrase\u00f1as tan cortas como un solo car\u00e1cter. Cuando se habilita un proveedor de mensajer\u00eda de correo electr\u00f3nico y se crea una nueva cuenta de usuario en el sistema, se env\u00eda un correo electr\u00f3nico de invitaci\u00f3n que contiene un enlace especial a la direcci\u00f3n de correo electr\u00f3nico del nuevo usuario. Este enlace dirige al nuevo usuario a una p\u00e1gina donde puede establecer su contrase\u00f1a inicial. Si bien la interfaz de usuario implementa comprobaciones de complejidad de contrase\u00f1as, estas validaciones solo se realizan del lado del cliente. El endpoint de la API subyacente `/api/v1/user/accept-invite` no implementa las mismas validaciones de pol\u00edticas de contrase\u00f1as. Esta vulnerabilidad permite que un usuario invitado establezca una contrase\u00f1a extremadamente d\u00e9bil para su propia cuenta durante el proceso de configuraci\u00f3n inicial de la cuenta. Por lo tanto, la cuenta de ese usuario espec\u00edfico puede verse comprometida f\u00e1cilmente por un atacante que adivine o use la fuerza bruta para adivinar la contrase\u00f1a. La vulnerabilidad ha sido corregida en la versi\u00f3n 2.50.0 de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o a una posterior para proteger sus sistemas contra esta amenaza. No existen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-52008",
"lastModified": "2025-09-23T13:43:13.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-26T19:15:29.583",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-08 22:15
Modified
2025-09-10 18:44
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"id": "CVE-2025-57766",
"lastModified": "2025-09-10T18:44:37.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.320",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-04 16:15
Modified
2024-09-06 18:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79FFA1EA-3D4F-414E-8B57-6AEA5F6FD212",
"versionEndExcluding": "2.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. Antes de la versi\u00f3n 2.44.0, exist\u00eda una vulnerabilidad de enumeraci\u00f3n de nombres de usuario basada en el tiempo en la autenticaci\u00f3n del servidor web de Fides. Esta vulnerabilidad permite a un atacante no autenticado determinar la existencia de nombres de usuario v\u00e1lidos analizando el tiempo que tarda el servidor en responder a las solicitudes de inicio de sesi\u00f3n. La discrepancia en los tiempos de respuesta entre nombres de usuario v\u00e1lidos e inv\u00e1lidos se puede aprovechar para enumerar usuarios en el sistema. Esta vulnerabilidad permite un ataque de enumeraci\u00f3n de nombres de usuario basado en el tiempo. Un atacante puede adivinar y verificar sistem\u00e1ticamente qu\u00e9 nombres de usuario son v\u00e1lidos midiendo el tiempo de respuesta del servidor a las solicitudes de autenticaci\u00f3n. Esta informaci\u00f3n se puede utilizar para realizar otros ataques a la autenticaci\u00f3n, como la fuerza bruta de contrase\u00f1as y el robo de credenciales. La vulnerabilidad se ha corregido en la versi\u00f3n 2.44.0 de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No hay workarounds."
}
],
"id": "CVE-2024-45052",
"lastModified": "2024-09-06T18:18:59.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:07.697",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-29 17:16
Modified
2025-09-27 00:05
Severity ?
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65A57E6E-339D-45F8-BFD3-FCA2D3658A9F",
"versionEndExcluding": "2.37.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. El servidor web de Fides requiere una conexi\u00f3n a una base de datos PostgreSQL alojada para el almacenamiento persistente de los datos de la aplicaci\u00f3n. Si la contrase\u00f1a utilizada por el servidor web para esta conexi\u00f3n de base de datos incluye caracteres especiales como `@` y `$`, el inicio del servidor web falla y la parte de la contrase\u00f1a que sigue al car\u00e1cter especial queda expuesta en los registros de errores del servidor web. Esto se debe a un escape incorrecto de la cadena de contrase\u00f1a de SQLAlchemy. Como resultado, los usuarios est\u00e1n sujetos a una exposici\u00f3n parcial de la contrase\u00f1a de la base de datos alojada en los registros del servidor web. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.37.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-34715",
"lastModified": "2025-09-27T00:05:58.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-29T17:16:20.260",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Exploit"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory",
"Exploit"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
},
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-04 16:15
Modified
2024-09-06 18:20
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58150E65-FD62-47CA-ACD7-2F8876F131EF",
"versionEndExcluding": "2.44.0",
"versionStartIncluding": "2.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. A partir de la versi\u00f3n 2.19.0 y antes de la versi\u00f3n 2.44.0, la funci\u00f3n de creaci\u00f3n de plantillas de correo electr\u00f3nico utiliza Jinja2 sin la desinfecci\u00f3n de entrada adecuada ni restricciones del entorno de renderizado, lo que permite la inyecci\u00f3n de plantillas del lado del servidor que otorga la ejecuci\u00f3n remota de c\u00f3digo a usuarios privilegiados. Un usuario privilegiado se refiere a un usuario de la interfaz de usuario de administraci\u00f3n con el rol predeterminado de \"Propietario\" o \"Colaborador\", que puede escalar su acceso y ejecutar c\u00f3digo en el contenedor del servidor web de Fides subyacente donde se ejecuta la funci\u00f3n de renderizado de plantillas de Jinja. La vulnerabilidad se ha corregido en la versi\u00f3n \"2.44.0\" de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o una posterior para proteger sus sistemas contra esta amenaza. No hay workarounds."
}
],
"id": "CVE-2024-45053",
"lastModified": "2024-09-06T18:20:35.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:07.910",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-18 19:15
Modified
2024-11-21 08:11
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "784A4F45-3BA5-4372-8697-3B2BADF59AA3",
"versionEndExcluding": "2.16.0",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the \u0027new connector\u0027 page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading."
}
],
"id": "CVE-2023-37481",
"lastModified": "2024-11-21T08:11:48.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-18T19:15:09.927",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/8beaace082b325e693dc7682029a3cb7e6c2b69d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3rw2-wfc8-wmj5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-06 18:15
Modified
2024-11-21 08:21
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7987098A-C17F-4C91-9406-7B5BAD1786DD",
"versionEndExcluding": "2.19.0",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. La API del servidor web de Fides permite cargar integraciones personalizadas como un archivo ZIP. Este archivo ZIP debe contener archivos YAML, pero Fides se puede configurar para que tambi\u00e9n acepte la inclusi\u00f3n de c\u00f3digo Python personalizado. El c\u00f3digo personalizado se ejecuta en un entorno restringido y aislado, pero el entorno aislado se puede omitir para ejecutar cualquier c\u00f3digo arbitrario. La vulnerabilidad permite la ejecuci\u00f3n de c\u00f3digo arbitrario en el sistema de destino dentro del contexto del propietario del proceso Python del servidor web en el contenedor del servidor web, que de forma predeterminada es \"root\", y aprovecha ese acceso para atacar la infraestructura subyacente y los sistemas integrados. Esta vulnerabilidad afecta a las versiones de Fides `2.11.0` hasta la `2.19.0`. La explotaci\u00f3n est\u00e1 limitada a clientes API con el alcance de autorizaci\u00f3n `CONNECTOR_TEMPLATE_REGISTER`. En la interfaz de usuario de administraci\u00f3n de Fides, este alcance est\u00e1 restringido a usuarios con privilegios elevados, espec\u00edficamente usuarios root y usuarios con rol de propietario. La explotaci\u00f3n solo es posible si el par\u00e1metro de configuraci\u00f3n de seguridad `allow_custom_connector_functions` est\u00e1 habilitado por el usuario que implementa el contenedor del servidor web Fides, ya sea en `fides.toml` o estableciendo la variable env `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. Por defecto este par\u00e1metro de configuraci\u00f3n est\u00e1 deshabilitado. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.19.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. Los usuarios que no puedan actualizar deben asegurarse de que `allow_custom_connector_functions` en `fides.toml` y `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` no est\u00e9n configurados o est\u00e9n configurados expl\u00edcitamente en `False`."
}
],
"id": "CVE-2023-41319",
"lastModified": "2024-11-21T08:21:03.807",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-06T18:15:08.937",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-693"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-25 18:17
Modified
2024-11-21 08:27
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA76F207-3012-48FE-AAB5-9B061A5AE996",
"versionEndExcluding": "2.22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`. "
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en entornos de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. La aplicaci\u00f3n web de Fides permite cargar una integraci\u00f3n personalizada como un archivo ZIP que contiene definiciones de configuraci\u00f3n y conjuntos de datos en formato YAML. Se descubri\u00f3 que el conjunto de datos y los archivos de configuraci\u00f3n YAML especialmente manipulados permiten a un usuario malintencionado realizar solicitudes arbitrarias a sistemas internos y extraer datos fuera del entorno (tambi\u00e9n conocido como Server-Side Request Forgery). La aplicaci\u00f3n no realiza una validaci\u00f3n adecuada para bloquear los intentos de conectarse a recursos internos (incluido el host local). La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.22.1` de Fides."
}
],
"id": "CVE-2023-46124",
"lastModified": "2024-11-21T08:27:55.783",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.3,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-25T18:17:36.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.22.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-18 19:15
Modified
2024-11-21 08:11
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "784A4F45-3BA5-4372-8697-3B2BADF59AA3",
"versionEndExcluding": "2.16.0",
"versionStartIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.\n"
}
],
"id": "CVE-2023-37480",
"lastModified": "2024-11-21T08:11:48.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-18T19:15:09.840",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-08 22:15
Modified
2024-11-21 08:29
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject's browser accessing a HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. This vulnerability has been patched in version 2.23.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64694F6B-53E4-40E4-89FD-6BE525A038D7",
"versionEndExcluding": "2.23.3",
"versionStartIncluding": "2.15.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject\u0027s personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject\u0027s browser accessing a HTML page using the `file://` protocol. Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves. This vulnerability has been patched in version 2.23.3."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de las solicitudes de privacidad de datos en su entorno de ejecuci\u00f3n y la aplicaci\u00f3n de las regulaciones de privacidad en su c\u00f3digo. La aplicaci\u00f3n web de Fides permite a los usuarios interesados solicitar el acceso a sus datos personales. Si la solicitud es aprobada por el usuario del controlador de datos que opera la aplicaci\u00f3n web de Fides, los datos personales del interesado se pueden recuperar de los sistemas y almacenes de datos conectados antes de agruparlos como un paquete de solicitud de acceso del interesado para que el interesado los descargue. Los formatos de datos admitidos por el paquete incluyen json y csv, pero el formato m\u00e1s utilizado es una serie de archivos HTML comprimidos en un archivo ZIP. Una vez descargados y descomprimidos, el usuario interesado puede explorar los archivos HTML en su m\u00e1quina local. Se identific\u00f3 que no hubo validaci\u00f3n de las entradas provenientes, por ejemplo, de los sistemas conectados y los almacenes de datos, lo que luego se refleja en los datos descargados. Esto puede dar lugar a una inyecci\u00f3n de HTML de la que se puede abusar, por ejemplo, para ataques de phishing o ejecuci\u00f3n de c\u00f3digo JavaScript malicioso, pero s\u00f3lo en el contexto del navegador del interesado que accede a una p\u00e1gina HTML utilizando el protocolo `file://`. La explotaci\u00f3n se limita a usuarios no autorizados de la interfaz de usuario de administraci\u00f3n, a usuarios maliciosos del sistema conectado/almacenamiento de datos y al usuario interesado si se le enga\u00f1a mediante ingenier\u00eda social para que env\u00ede datos maliciosos. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.23.3."
}
],
"id": "CVE-2023-47114",
"lastModified": "2024-11-21T08:29:48.377",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-08T22:15:11.023",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.23.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.23.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}