CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35189 – Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
https://notcve.org/view.php?id=CVE-2024-35189
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (`sensitive`) that they can annotate as `True` to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a `"**********"` placeholder value. • https://cloud.google.com/iam/docs/key-rotation https://github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34715 – Partial Password Exposure Vulnerability in Fides Webserver Logs
https://notcve.org/view.php?id=CVE-2024-34715
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. • https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7 https://github.com/sqlalchemy/sqlalchemy/discussions/6615 • CWE-116: Improper Encoding or Escaping of Output CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48224 – Cryptographically Weak Generation of One-Time Codes for Identity Verification in ethyca-fides
https://notcve.org/view.php?id=CVE-2023-48224
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. • https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6 https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358 https://peps.python.org/pep-0506 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47114 – Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages
https://notcve.org/view.php?id=CVE-2023-47114
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. • https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1 https://github.com/ethyca/fides/releases/tag/2.23.3 https://github.com/ethyca/fides/security/advisories/GHSA-3vpf-mcj7-5h38 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46124 – Server-Side Request Forgery Vulnerability in Custom Integration Upload
https://notcve.org/view.php?id=CVE-2023-46124
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. The vulnerability has been patched in Fides version `2.22.1`. • https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee https://github.com/ethyca/fides/releases/tag/2.22.1 https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4 • CWE-918: Server-Side Request Forgery (SSRF) •