CVE-2024-34715 (GCVE-0-2024-34715)
Vulnerability from cvelistv5
Published
2024-05-29 16:35
Modified
2024-08-02 02:59
Severity ?
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
  • CWE-116 - Improper Encoding or Escaping of Output
Summary
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwordsTechnical Description
security-advisories@github.comhttps://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141cPatch
security-advisories@github.comhttps://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7Vendor Advisory, Exploit
security-advisories@github.comhttps://github.com/sqlalchemy/sqlalchemy/discussions/6615Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwordsTechnical Description
af854a3a-2127-422b-91ae-364da2661108https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141cPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7Vendor Advisory, Exploit
af854a3a-2127-422b-91ae-364da2661108https://github.com/sqlalchemy/sqlalchemy/discussions/6615Issue Tracking
Impacted products
Vendor Product Version
ethyca fides Version: < 2.37.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-03T15:09:16.775448Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:42:17.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:59:22.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
          },
          {
            "name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
          },
          {
            "name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
          },
          {
            "name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fides",
          "vendor": "ethyca",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.37.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T16:35:46.375Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"
        },
        {
          "name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"
        },
        {
          "name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"
        },
        {
          "name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"
        }
      ],
      "source": {
        "advisory": "GHSA-8cm5-jfj2-26q7",
        "discovery": "UNKNOWN"
      },
      "title": "Partial Password Exposure Vulnerability in Fides Webserver Logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34715",
    "datePublished": "2024-05-29T16:35:46.375Z",
    "dateReserved": "2024-05-07T13:53:00.134Z",
    "dateUpdated": "2024-08-02T02:59:22.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34715\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-29T17:16:20.260\",\"lastModified\":\"2025-09-27T00:05:58.890\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. El servidor web de Fides requiere una conexi\u00f3n a una base de datos PostgreSQL alojada para el almacenamiento persistente de los datos de la aplicaci\u00f3n. Si la contrase\u00f1a utilizada por el servidor web para esta conexi\u00f3n de base de datos incluye caracteres especiales como `@` y `$`, el inicio del servidor web falla y la parte de la contrase\u00f1a que sigue al car\u00e1cter especial queda expuesta en los registros de errores del servidor web. Esto se debe a un escape incorrecto de la cadena de contrase\u00f1a de SQLAlchemy. Como resultado, los usuarios est\u00e1n sujetos a una exposici\u00f3n parcial de la contrase\u00f1a de la base de datos alojada en los registros del servidor web. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.37.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"},{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.37.0\",\"matchCriteriaId\":\"65A57E6E-339D-45F8-BFD3-FCA2D3658A9F\"}]}]}],\"references\":[{\"url\":\"https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Exploit\"]},{\"url\":\"https://github.com/sqlalchemy/sqlalchemy/discussions/6615\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\",\"Exploit\"]},{\"url\":\"https://github.com/sqlalchemy/sqlalchemy/discussions/6615\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7\", \"name\": \"https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c\", \"name\": \"https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords\", \"name\": \"https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/sqlalchemy/sqlalchemy/discussions/6615\", \"name\": \"https://github.com/sqlalchemy/sqlalchemy/discussions/6615\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:59:22.619Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34715\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-03T15:09:16.775448Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-03T15:09:33.031Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Partial Password Exposure Vulnerability in Fides Webserver Logs\", \"source\": {\"advisory\": \"GHSA-8cm5-jfj2-26q7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"ethyca\", \"product\": \"fides\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.37.0\"}]}], \"references\": [{\"url\": \"https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7\", \"name\": \"https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c\", \"name\": \"https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords\", \"name\": \"https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sqlalchemy/sqlalchemy/discussions/6615\", \"name\": \"https://github.com/sqlalchemy/sqlalchemy/discussions/6615\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532: Insertion of Sensitive Information into Log File\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-29T16:35:46.375Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34715\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:59:22.619Z\", \"dateReserved\": \"2024-05-07T13:53:00.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-29T16:35:46.375Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.