14 results (0.003 seconds)

CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 0

Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. • https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r • CWE-602: Client-Side Enforcement of Server-Side Security •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. • https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv • CWE-208: Observable Timing Discrepancy •

CVSS: 0EPSS: 0%CPEs: 1EXPL: 0

Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. • https://fetch.spec.whatwg.org https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 https://github.com/ethyca/fides/pull/5026 https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m https://sansec.io/research/polyfill-supply-chain-attack • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. • https://cloud.google.com/iam/docs/key-rotation https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •

CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0

Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. • https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7 https://github.com/sqlalchemy/sqlalchemy/discussions/6615 • CWE-116: Improper Encoding or Escaping of Output CWE-532: Insertion of Sensitive Information into Log File •