CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52008 – Password Policy Bypass Vulnerability in Fides Webserver
https://notcve.org/view.php?id=CVE-2024-52008
26 Nov 2024 — Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite... • https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2024-45053 – Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
https://notcve.org/view.php?id=CVE-2024-45053
04 Sep 2024 — Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where... • https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45052 – Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2024-45052
04 Sep 2024 — Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based us... • https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 • CWE-208: Observable Timing Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31223 – Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
https://notcve.org/view.php?id=CVE-2024-31223
03 Jul 2024 — Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that di... • https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 0EPSS: 7%CPEs: 1EXPL: 1CVE-2024-38537 – Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
https://notcve.org/view.php?id=CVE-2024-38537
02 Jul 2024 — Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and... • https://github.com/Havoc10-sw/Detect_polyfill_CVE-2024-38537- • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35189 – Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
https://notcve.org/view.php?id=CVE-2024-35189
30 May 2024 — Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic ... • https://cloud.google.com/iam/docs/key-rotation • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34715 – Partial Password Exposure Vulnerability in Fides Webserver Logs
https://notcve.org/view.php?id=CVE-2024-34715
29 May 2024 — Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to... • https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords • CWE-116: Improper Encoding or Escaping of Output CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48224 – Cryptographically Weak Generation of One-Time Codes for Identity Verification in ethyca-fides
https://notcve.org/view.php?id=CVE-2023-48224
15 Nov 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modif... • https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47114 – Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages
https://notcve.org/view.php?id=CVE-2023-47114
08 Nov 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data su... • https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46124 – Server-Side Request Forgery Vulnerability in Custom Integration Upload
https://notcve.org/view.php?id=CVE-2023-46124
24 Oct 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the envi... • https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee • CWE-918: Server-Side Request Forgery (SSRF) •