CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45052 – Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2024-45052
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. • https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv • CWE-208: Observable Timing Discrepancy •
CVSS: 0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38537 – Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
https://notcve.org/view.php?id=CVE-2024-38537
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. • https://fetch.spec.whatwg.org https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 https://github.com/ethyca/fides/pull/5026 https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m https://sansec.io/research/polyfill-supply-chain-attack • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35189 – Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
https://notcve.org/view.php?id=CVE-2024-35189
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. • https://cloud.google.com/iam/docs/key-rotation https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34715 – Partial Password Exposure Vulnerability in Fides Webserver Logs
https://notcve.org/view.php?id=CVE-2024-34715
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. • https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7 https://github.com/sqlalchemy/sqlalchemy/discussions/6615 • CWE-116: Improper Encoding or Escaping of Output CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48224 – Cryptographically Weak Generation of One-Time Codes for Identity Verification in ethyca-fides
https://notcve.org/view.php?id=CVE-2023-48224
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. • https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6 https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358 https://peps.python.org/pep-0506 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •