Search criteria
60 vulnerabilities found for fides by ethyca
FKIE_CVE-2025-57817
Vulnerability from fkie_nvd - Published: 2025-09-08 22:15 - Updated: 2025-09-10 18:41
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"id": "CVE-2025-57817",
"lastModified": "2025-09-10T18:41:28.043",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-57816
Vulnerability from fkie_nvd - Published: 2025-09-08 22:15 - Updated: 2025-09-10 18:42
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology."
}
],
"id": "CVE-2025-57816",
"lastModified": "2025-09-10T18:42:17.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.703",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-799"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-57815
Vulnerability from fkie_nvd - Published: 2025-09-08 22:15 - Updated: 2025-09-10 18:43
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users."
}
],
"id": "CVE-2025-57815",
"lastModified": "2025-09-10T18:43:41.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.520",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-57766
Vulnerability from fkie_nvd - Published: 2025-09-08 22:15 - Updated: 2025-09-10 18:44
Severity ?
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52846B1D-36BC-4166-BBCE-9743675898F0",
"versionEndExcluding": "2.69.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"id": "CVE-2025-57766",
"lastModified": "2025-09-10T18:44:37.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-08T22:15:33.320",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-52008
Vulnerability from fkie_nvd - Published: 2024-11-26 19:15 - Updated: 2025-09-23 13:43
Severity ?
Summary
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01D72BF5-8DDF-4D51-815B-091D738F7261",
"versionEndExcluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user\u0027s email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user\u0027s account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. El endpoint de la API de aceptaci\u00f3n de invitaciones de usuarios carece de la aplicaci\u00f3n de pol\u00edticas de contrase\u00f1as del lado del servidor, lo que permite a los usuarios establecer contrase\u00f1as arbitrariamente d\u00e9biles al eludir la validaci\u00f3n del lado del cliente. Si bien la interfaz de usuario aplica requisitos de complejidad de contrase\u00f1as, las llamadas API directas pueden eludir estas comprobaciones, lo que permite la creaci\u00f3n de cuentas con contrase\u00f1as tan cortas como un solo car\u00e1cter. Cuando se habilita un proveedor de mensajer\u00eda de correo electr\u00f3nico y se crea una nueva cuenta de usuario en el sistema, se env\u00eda un correo electr\u00f3nico de invitaci\u00f3n que contiene un enlace especial a la direcci\u00f3n de correo electr\u00f3nico del nuevo usuario. Este enlace dirige al nuevo usuario a una p\u00e1gina donde puede establecer su contrase\u00f1a inicial. Si bien la interfaz de usuario implementa comprobaciones de complejidad de contrase\u00f1as, estas validaciones solo se realizan del lado del cliente. El endpoint de la API subyacente `/api/v1/user/accept-invite` no implementa las mismas validaciones de pol\u00edticas de contrase\u00f1as. Esta vulnerabilidad permite que un usuario invitado establezca una contrase\u00f1a extremadamente d\u00e9bil para su propia cuenta durante el proceso de configuraci\u00f3n inicial de la cuenta. Por lo tanto, la cuenta de ese usuario espec\u00edfico puede verse comprometida f\u00e1cilmente por un atacante que adivine o use la fuerza bruta para adivinar la contrase\u00f1a. La vulnerabilidad ha sido corregida en la versi\u00f3n 2.50.0 de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o a una posterior para proteger sus sistemas contra esta amenaza. No existen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-52008",
"lastModified": "2025-09-23T13:43:13.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-26T19:15:29.583",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-45053
Vulnerability from fkie_nvd - Published: 2024-09-04 16:15 - Updated: 2024-09-06 18:20
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58150E65-FD62-47CA-ACD7-2F8876F131EF",
"versionEndExcluding": "2.44.0",
"versionStartIncluding": "2.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. A partir de la versi\u00f3n 2.19.0 y antes de la versi\u00f3n 2.44.0, la funci\u00f3n de creaci\u00f3n de plantillas de correo electr\u00f3nico utiliza Jinja2 sin la desinfecci\u00f3n de entrada adecuada ni restricciones del entorno de renderizado, lo que permite la inyecci\u00f3n de plantillas del lado del servidor que otorga la ejecuci\u00f3n remota de c\u00f3digo a usuarios privilegiados. Un usuario privilegiado se refiere a un usuario de la interfaz de usuario de administraci\u00f3n con el rol predeterminado de \"Propietario\" o \"Colaborador\", que puede escalar su acceso y ejecutar c\u00f3digo en el contenedor del servidor web de Fides subyacente donde se ejecuta la funci\u00f3n de renderizado de plantillas de Jinja. La vulnerabilidad se ha corregido en la versi\u00f3n \"2.44.0\" de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o una posterior para proteger sus sistemas contra esta amenaza. No hay workarounds."
}
],
"id": "CVE-2024-45053",
"lastModified": "2024-09-06T18:20:35.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:07.910",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-45052
Vulnerability from fkie_nvd - Published: 2024-09-04 16:15 - Updated: 2024-09-06 18:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79FFA1EA-3D4F-414E-8B57-6AEA5F6FD212",
"versionEndExcluding": "2.44.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. Antes de la versi\u00f3n 2.44.0, exist\u00eda una vulnerabilidad de enumeraci\u00f3n de nombres de usuario basada en el tiempo en la autenticaci\u00f3n del servidor web de Fides. Esta vulnerabilidad permite a un atacante no autenticado determinar la existencia de nombres de usuario v\u00e1lidos analizando el tiempo que tarda el servidor en responder a las solicitudes de inicio de sesi\u00f3n. La discrepancia en los tiempos de respuesta entre nombres de usuario v\u00e1lidos e inv\u00e1lidos se puede aprovechar para enumerar usuarios en el sistema. Esta vulnerabilidad permite un ataque de enumeraci\u00f3n de nombres de usuario basado en el tiempo. Un atacante puede adivinar y verificar sistem\u00e1ticamente qu\u00e9 nombres de usuario son v\u00e1lidos midiendo el tiempo de respuesta del servidor a las solicitudes de autenticaci\u00f3n. Esta informaci\u00f3n se puede utilizar para realizar otros ataques a la autenticaci\u00f3n, como la fuerza bruta de contrase\u00f1as y el robo de credenciales. La vulnerabilidad se ha corregido en la versi\u00f3n 2.44.0 de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No hay workarounds."
}
],
"id": "CVE-2024-45052",
"lastModified": "2024-09-06T18:18:59.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-04T16:15:07.697",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-31223
Vulnerability from fkie_nvd - Published: 2024-07-03 18:15 - Updated: 2025-09-04 14:07
Severity ?
Summary
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BE90C1-F84C-4880-B0CF-DBF06116161C",
"versionEndExcluding": "2.39.2",
"versionStartIncluding": "2.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto y `SERVER_SIDE_FIDES_API_URL` es una variable de entorno de configuraci\u00f3n del lado del servidor utilizada por el Centro de Privacidad de Fides para comunicarse con el servidor web de Fides. El valor de esta variable es una URL que normalmente incluye una direcci\u00f3n IP privada, un nombre de dominio privado y/o un puerto. Una vulnerabilidad presente a partir de la versi\u00f3n 2.19.0 y antes de la versi\u00f3n 2.39.2rc0 permite que un atacante no autenticado realice una solicitud HTTP GET desde el Centro de privacidad que revela el valor de esta URL del lado del servidor. Esto podr\u00eda dar lugar a la divulgaci\u00f3n de la configuraci\u00f3n del lado del servidor, proporcionando al atacante informaci\u00f3n sobre los puertos del lado del servidor, direcciones IP privadas y/o nombres de dominio privados. La vulnerabilidad ha sido parcheada en la versi\u00f3n 2.39.2rc0 de Fides. No hay workarounds disponibles."
}
],
"id": "CVE-2024-31223",
"lastModified": "2025-09-04T14:07:17.867",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-07-03T18:15:05.097",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-497"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-38537
Vulnerability from fkie_nvd - Published: 2024-07-02 20:15 - Updated: 2025-09-02 20:27
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.
The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "960B2BA6-88EF-4A6D-A506-5F699C28EFA0",
"versionEndExcluding": "2.39.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.\n\nThe vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. `fides.js`, un script del lado del cliente utilizado para interactuar con las funciones de gesti\u00f3n de consentimiento de Fides, utiliz\u00f3 el dominio `polyfill.io` en un caso l\u00edmite muy limitado, cuando detect\u00f3 un navegador heredado como IE11 que no admit\u00eda el est\u00e1ndar de recuperaci\u00f3n. Por lo tanto, era posible que los usuarios de navegadores heredados anteriores a 2017 que navegaban a una p\u00e1gina que serv\u00eda `fides.js` descargaran y ejecutaran scripts maliciosos desde el dominio `polyfill.io` cuando el dominio estaba comprometido y serv\u00eda malware. No se ha identificado ninguna explotaci\u00f3n de `fides.js` a trav\u00e9s de `polyfill.io` al momento de la publicaci\u00f3n. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.39.1` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. El jueves 27 de junio de 2024, Cloudflare y Namecheap intervinieron a nivel de dominio para garantizar que `polyfill.io` y sus subdominios no pudieran resolver el servicio comprometido, haciendo que esta vulnerabilidad no se pudiera explotar. Antes de la intervenci\u00f3n a nivel de dominio, no hab\u00eda workarounds en el lado del servidor y los impactos de esta vulnerabilidad en la confidencialidad, integridad y disponibilidad eran altos. Los clientes pod\u00edan asegurarse de no verse afectados utilizando un navegador moderno que admitiera el est\u00e1ndar de recuperaci\u00f3n."
}
],
"id": "CVE-2024-38537",
"lastModified": "2025-09-02T20:27:17.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0.0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 0.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-02T20:15:05.860",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-829"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-35189
Vulnerability from fkie_nvd - Published: 2024-05-30 20:15 - Updated: 2025-10-20 17:56
Severity ?
Summary
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65A57E6E-339D-45F8-BFD3-FCA2D3658A9F",
"versionEndExcluding": "2.37.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides\u0027s developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `\"**********\"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. El servidor web de Fides tiene una serie de endpoints que recuperan registros de \"Configuraci\u00f3n de conexi\u00f3n\" y sus \"secretos\" asociados que _pueden_ contener datos confidenciales (por ejemplo, contrase\u00f1as, claves privadas, etc.). Estos \"secretos\" se almacenan cifrados en reposo (en la base de datos de la aplicaci\u00f3n) y los endpoints asociados no est\u00e1n destinados a exponer esos datos confidenciales en texto sin formato a los clientes API, ya que podr\u00edan ser comprometedores. Los desarrolladores de Fides tienen a su disposici\u00f3n un atributo de campo Pydantic (\"sensible\") que pueden anotar como \"Verdadero\" para indicar que un campo secreto determinado no debe exponerse a trav\u00e9s de la API. La aplicaci\u00f3n tiene una funci\u00f3n interna que utiliza anotaciones \"sensibles\" para enmascarar los campos sensibles con un valor de marcador de posici\u00f3n \"**********\". Esta vulnerabilidad se debe a un error en esa funci\u00f3n, que imped\u00eda que los campos del modelo API \"sensibles\" que estaban _anidados_ debajo del nivel ra\u00edz de un objeto \"secreto\" se enmascararan adecuadamente. Solo los secretos de configuraci\u00f3n de conexi\u00f3n de \"BigQuery\" cumplen estos criterios: el esquema de secretos tiene una propiedad sensible anidada \"keyfile_creds.private_key\" que se expone en texto sin formato a trav\u00e9s de las API. Los tipos de conexi\u00f3n distintos de \"BigQuery\" con campos confidenciales en el nivel ra\u00edz que no est\u00e1n anidados se enmascaran correctamente con el marcador de posici\u00f3n y no se ven afectados por esta vulnerabilidad. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.37.0 de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. Tambi\u00e9n se recomienda a los usuarios que roten los secretos de Google Cloud utilizados para las integraciones de BigQuery en sus implementaciones de Fides. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-35189",
"lastModified": "2025-10-20T17:56:22.387",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-05-30T20:15:09.457",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-57817 (GCVE-0-2025-57817)
Vulnerability from cvelistv5 – Published: 2025-09-08 21:17 – Updated: 2025-09-09 13:39
VLAI?
Title
Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:38:53.295848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:39:00.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:19:39.349Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr"
},
{
"name": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-hjfh-p8f5-24wr",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57817",
"datePublished": "2025-09-08T21:17:09.105Z",
"dateReserved": "2025-08-20T14:30:35.011Z",
"dateUpdated": "2025-09-09T13:39:00.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57816 (GCVE-0-2025-57816)
Vulnerability from cvelistv5 – Published: 2025-09-08 21:14 – Updated: 2025-09-09 14:19
VLAI?
Title
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
Severity ?
CWE
- CWE-799 - Improper Control of Interaction Frequency
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T14:19:06.539355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T14:19:27.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799: Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:20:43.577Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
},
{
"name": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-fq34-xw6c-fphf",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver API Rate Limiting Vulnerability in Proxied Environments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57816",
"datePublished": "2025-09-08T21:14:06.853Z",
"dateReserved": "2025-08-20T14:30:35.011Z",
"dateUpdated": "2025-09-09T14:19:27.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57766 (GCVE-0-2025-57766)
Vulnerability from cvelistv5 – Published: 2025-09-08 21:12 – Updated: 2025-09-09 13:45
VLAI?
Title
Fides's Admin UI User Password Change Does Not Invalidate Current Session
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:44:58.979900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:45:07.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:21:08.547Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87"
},
{
"name": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-rpw8-82v9-3q87",
"discovery": "UNKNOWN"
},
"title": "Fides\u0027s Admin UI User Password Change Does Not Invalidate Current Session"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57766",
"datePublished": "2025-09-08T21:12:07.626Z",
"dateReserved": "2025-08-19T15:16:22.917Z",
"dateUpdated": "2025-09-09T13:45:07.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57815 (GCVE-0-2025-57815)
Vulnerability from cvelistv5 – Published: 2025-09-08 21:11 – Updated: 2025-09-09 13:44
VLAI?
Title
Fides Lacks Brute-Force Protections on Authentication Endpoints
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
Severity ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:43:58.228952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:44:06.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:20:19.352Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw"
},
{
"name": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-7q62-r88r-j5gw",
"discovery": "UNKNOWN"
},
"title": "Fides Lacks Brute-Force Protections on Authentication Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57815",
"datePublished": "2025-09-08T21:11:53.369Z",
"dateReserved": "2025-08-20T14:30:35.010Z",
"dateUpdated": "2025-09-09T13:44:06.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52008 (GCVE-0-2024-52008)
Vulnerability from cvelistv5 – Published: 2024-11-26 18:52 – Updated: 2024-11-26 19:16
VLAI?
Title
Password Policy Bypass Vulnerability in Fides Webserver
Summary
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:16:30.665227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:16:54.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user\u0027s email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user\u0027s account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T18:52:40.102Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r"
}
],
"source": {
"advisory": "GHSA-v7vm-rhmg-8j2r",
"discovery": "UNKNOWN"
},
"title": "Password Policy Bypass Vulnerability in Fides Webserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52008",
"datePublished": "2024-11-26T18:52:40.102Z",
"dateReserved": "2024-11-04T17:46:16.779Z",
"dateUpdated": "2024-11-26T19:16:54.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45053 (GCVE-0-2024-45053)
Vulnerability from cvelistv5 – Published: 2024-09-04 16:04 – Updated: 2024-09-04 18:02
VLAI?
Title
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Summary
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Severity ?
9.1 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T18:01:28.427738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T18:02:37.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:04:03.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
},
{
"name": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
}
],
"source": {
"advisory": "GHSA-c34r-238x-f7qx",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45053",
"datePublished": "2024-09-04T16:04:03.741Z",
"dateReserved": "2024-08-21T17:53:51.332Z",
"dateUpdated": "2024-09-04T18:02:37.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45052 (GCVE-0-2024-45052)
Vulnerability from cvelistv5 – Published: 2024-09-04 15:43 – Updated: 2024-09-04 16:19
VLAI?
Title
Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Severity ?
5.3 (Medium)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:19:06.969242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:19:47.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:43:52.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
},
{
"name": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4"
}
],
"source": {
"advisory": "GHSA-2h46-8gf5-fmxv",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45052",
"datePublished": "2024-09-04T15:43:52.056Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-09-04T16:19:47.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31223 (GCVE-0-2024-31223)
Vulnerability from cvelistv5 – Published: 2024-07-03 17:34 – Updated: 2024-08-02 01:46
VLAI?
Title
Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
Summary
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:2.19.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.39.2rc0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T18:20:08.631813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T18:20:30.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"name": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.39.2rc0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T17:34:48.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"name": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
}
],
"source": {
"advisory": "GHSA-53q7-4874-24qg",
"discovery": "UNKNOWN"
},
"title": "Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31223",
"datePublished": "2024-07-03T17:34:48.508Z",
"dateReserved": "2024-03-29T14:16:31.902Z",
"dateUpdated": "2024-08-02T01:46:04.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38537 (GCVE-0-2024-38537)
Vulnerability from cvelistv5 – Published: 2024-07-02 19:50 – Updated: 2024-08-02 04:12
VLAI?
Title
Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Summary
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.
The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
Severity ?
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T20:11:37.728266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:11:44.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:24.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"name": "https://github.com/ethyca/fides/pull/5026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"name": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"name": "https://fetch.spec.whatwg.org",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.\n\nThe vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T19:50:10.275Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"name": "https://github.com/ethyca/fides/pull/5026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"name": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"name": "https://fetch.spec.whatwg.org",
"tags": [
"x_refsource_MISC"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"source": {
"advisory": "GHSA-cvw4-c69g-7v7m",
"discovery": "UNKNOWN"
},
"title": "Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38537",
"datePublished": "2024-07-02T19:50:10.275Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-02T04:12:24.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35189 (GCVE-0-2024-35189)
Vulnerability from cvelistv5 – Published: 2024-05-30 19:47 – Updated: 2024-08-02 03:07
VLAI?
Title
Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
Summary
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.37.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T20:38:12.376244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T20:38:18.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"name": "https://cloud.google.com/iam/docs/key-rotation",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.37.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides\u0027s developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `\"**********\"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T19:47:43.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"name": "https://cloud.google.com/iam/docs/key-rotation",
"tags": [
"x_refsource_MISC"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
}
],
"source": {
"advisory": "GHSA-rcvg-jj3g-rj7c",
"discovery": "UNKNOWN"
},
"title": "Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35189",
"datePublished": "2024-05-30T19:47:43.080Z",
"dateReserved": "2024-05-10T14:24:24.341Z",
"dateUpdated": "2024-08-02T03:07:46.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57817 (GCVE-0-2025-57817)
Vulnerability from nvd – Published: 2025-09-08 21:17 – Updated: 2025-09-09 13:39
VLAI?
Title
Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:38:53.295848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:39:00.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:19:39.349Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr"
},
{
"name": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-hjfh-p8f5-24wr",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57817",
"datePublished": "2025-09-08T21:17:09.105Z",
"dateReserved": "2025-08-20T14:30:35.011Z",
"dateUpdated": "2025-09-09T13:39:00.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57816 (GCVE-0-2025-57816)
Vulnerability from nvd – Published: 2025-09-08 21:14 – Updated: 2025-09-09 14:19
VLAI?
Title
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
Severity ?
CWE
- CWE-799 - Improper Control of Interaction Frequency
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T14:19:06.539355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T14:19:27.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected. Version 2.69.1 fixes the issue. There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799: Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:20:43.577Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
},
{
"name": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-fq34-xw6c-fphf",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver API Rate Limiting Vulnerability in Proxied Environments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57816",
"datePublished": "2025-09-08T21:14:06.853Z",
"dateReserved": "2025-08-20T14:30:35.011Z",
"dateUpdated": "2025-09-09T14:19:27.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57766 (GCVE-0-2025-57766)
Vulnerability from nvd – Published: 2025-09-08 21:12 – Updated: 2025-09-09 13:45
VLAI?
Title
Fides's Admin UI User Password Change Does Not Invalidate Current Session
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available.
Severity ?
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:44:58.979900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:45:07.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:21:08.547Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rpw8-82v9-3q87"
},
{
"name": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/8daec4f5ad3daf0f0bdab4814f6757eb0965104b"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-rpw8-82v9-3q87",
"discovery": "UNKNOWN"
},
"title": "Fides\u0027s Admin UI User Password Change Does Not Invalidate Current Session"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57766",
"datePublished": "2025-09-08T21:12:07.626Z",
"dateReserved": "2025-08-19T15:16:22.917Z",
"dateUpdated": "2025-09-09T13:45:07.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57815 (GCVE-0-2025-57815)
Vulnerability from nvd – Published: 2025-09-08 21:11 – Updated: 2025-09-09 13:44
VLAI?
Title
Fides Lacks Brute-Force Protections on Authentication Endpoints
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
Severity ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:43:58.228952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:44:06.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.69.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T21:20:19.352Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-7q62-r88r-j5gw"
},
{
"name": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"name": "https://github.com/ethyca/fides/releases/tag/2.69.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"source": {
"advisory": "GHSA-7q62-r88r-j5gw",
"discovery": "UNKNOWN"
},
"title": "Fides Lacks Brute-Force Protections on Authentication Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57815",
"datePublished": "2025-09-08T21:11:53.369Z",
"dateReserved": "2025-08-20T14:30:35.010Z",
"dateUpdated": "2025-09-09T13:44:06.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52008 (GCVE-0-2024-52008)
Vulnerability from nvd – Published: 2024-11-26 18:52 – Updated: 2024-11-26 19:16
VLAI?
Title
Password Policy Bypass Vulnerability in Fides Webserver
Summary
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:16:30.665227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:16:54.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user\u0027s email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user\u0027s account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T18:52:40.102Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r"
}
],
"source": {
"advisory": "GHSA-v7vm-rhmg-8j2r",
"discovery": "UNKNOWN"
},
"title": "Password Policy Bypass Vulnerability in Fides Webserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52008",
"datePublished": "2024-11-26T18:52:40.102Z",
"dateReserved": "2024-11-04T17:46:16.779Z",
"dateUpdated": "2024-11-26T19:16:54.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45053 (GCVE-0-2024-45053)
Vulnerability from nvd – Published: 2024-09-04 16:04 – Updated: 2024-09-04 18:02
VLAI?
Title
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Summary
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Severity ?
9.1 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T18:01:28.427738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T18:02:37.351Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:04:03.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx"
},
{
"name": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5"
}
],
"source": {
"advisory": "GHSA-c34r-238x-f7qx",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45053",
"datePublished": "2024-09-04T16:04:03.741Z",
"dateReserved": "2024-08-21T17:53:51.332Z",
"dateUpdated": "2024-09-04T18:02:37.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45052 (GCVE-0-2024-45052)
Vulnerability from nvd – Published: 2024-09-04 15:43 – Updated: 2024-09-04 16:19
VLAI?
Title
Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
Summary
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Severity ?
5.3 (Medium)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:19:06.969242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:19:47.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:43:52.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
},
{
"name": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4"
}
],
"source": {
"advisory": "GHSA-2h46-8gf5-fmxv",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45052",
"datePublished": "2024-09-04T15:43:52.056Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-09-04T16:19:47.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31223 (GCVE-0-2024-31223)
Vulnerability from nvd – Published: 2024-07-03 17:34 – Updated: 2024-08-02 01:46
VLAI?
Title
Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
Summary
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:2.19.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.39.2rc0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T18:20:08.631813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T18:20:30.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"name": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.39.2rc0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T17:34:48.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg"
},
{
"name": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097"
}
],
"source": {
"advisory": "GHSA-53q7-4874-24qg",
"discovery": "UNKNOWN"
},
"title": "Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31223",
"datePublished": "2024-07-03T17:34:48.508Z",
"dateReserved": "2024-03-29T14:16:31.902Z",
"dateUpdated": "2024-08-02T01:46:04.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38537 (GCVE-0-2024-38537)
Vulnerability from nvd – Published: 2024-07-02 19:50 – Updated: 2024-08-02 04:12
VLAI?
Title
Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
Summary
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.
The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
Severity ?
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T20:11:37.728266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:11:44.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:24.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"name": "https://github.com/ethyca/fides/pull/5026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"name": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"name": "https://fetch.spec.whatwg.org",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.39.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication.\n\nThe vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T19:50:10.275Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m"
},
{
"name": "https://github.com/ethyca/fides/pull/5026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/pull/5026"
},
{
"name": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005"
},
{
"name": "https://fetch.spec.whatwg.org",
"tags": [
"x_refsource_MISC"
],
"url": "https://fetch.spec.whatwg.org"
},
{
"name": "https://sansec.io/research/polyfill-supply-chain-attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://sansec.io/research/polyfill-supply-chain-attack"
}
],
"source": {
"advisory": "GHSA-cvw4-c69g-7v7m",
"discovery": "UNKNOWN"
},
"title": "Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38537",
"datePublished": "2024-07-02T19:50:10.275Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-02T04:12:24.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35189 (GCVE-0-2024-35189)
Vulnerability from nvd – Published: 2024-05-30 19:47 – Updated: 2024-08-02 03:07
VLAI?
Title
Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
Summary
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability.
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.37.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T20:38:12.376244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T20:38:18.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"name": "https://cloud.google.com/iam/docs/key-rotation",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.37.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides\u0027s developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `\"**********\"` placeholder value. This vulnerability is due to a bug in that function, which prevented `sensitive` API model fields that were _nested_ below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meets these criteria: the secrets schema has a nested sensitive `keyfile_creds.private_key` property that is exposed in plaintext via the APIs. Connection types other than `BigQuery` with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T19:47:43.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c"
},
{
"name": "https://cloud.google.com/iam/docs/key-rotation",
"tags": [
"x_refsource_MISC"
],
"url": "https://cloud.google.com/iam/docs/key-rotation"
}
],
"source": {
"advisory": "GHSA-rcvg-jj3g-rj7c",
"discovery": "UNKNOWN"
},
"title": "Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35189",
"datePublished": "2024-05-30T19:47:43.080Z",
"dateReserved": "2024-05-10T14:24:24.341Z",
"dateUpdated": "2024-08-02T03:07:46.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}