CVE-2024-52008 – Password Policy Bypass Vulnerability in Fides Webserver
https://notcve.org/view.php?id=CVE-2024-52008
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. • https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r • CWE-602: Client-Side Enforcement of Server-Side Security •
CVE-2024-45053 – Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
https://notcve.org/view.php?id=CVE-2024-45053
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. • https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-45052 – Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2024-45052
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. • https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv • CWE-208: Observable Timing Discrepancy •
CVE-2024-31223 – Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
https://notcve.org/view.php?id=CVE-2024-31223
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. • https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097 https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVE-2024-38537 – Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
https://notcve.org/view.php?id=CVE-2024-38537
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. • https://fetch.spec.whatwg.org https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 https://github.com/ethyca/fides/pull/5026 https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m https://sansec.io/research/polyfill-supply-chain-attack • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •