CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45053 – Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
https://notcve.org/view.php?id=CVE-2024-45053
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. • https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45052 – Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2024-45052
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. • https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv • CWE-208: Observable Timing Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31223 – Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
https://notcve.org/view.php?id=CVE-2024-31223
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. • https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097 https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38537 – Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
https://notcve.org/view.php?id=CVE-2024-38537
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. • https://fetch.spec.whatwg.org https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 https://github.com/ethyca/fides/pull/5026 https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m https://sansec.io/research/polyfill-supply-chain-attack • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35189 – Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
https://notcve.org/view.php?id=CVE-2024-35189
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. • https://cloud.google.com/iam/docs/key-rotation https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •