CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52008 – Password Policy Bypass Vulnerability in Fides Webserver
https://notcve.org/view.php?id=CVE-2024-52008
26 Nov 2024 — Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite... • https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45052 – Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
https://notcve.org/view.php?id=CVE-2024-45052
04 Sep 2024 — Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based us... • https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 • CWE-208: Observable Timing Discrepancy •
CVSS: 0EPSS: 7%CPEs: 1EXPL: 1CVE-2024-38537 – Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
https://notcve.org/view.php?id=CVE-2024-38537
02 Jul 2024 — Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and... • https://github.com/Havoc10-sw/Detect_polyfill_CVE-2024-38537- • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35189 – Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints in Fides
https://notcve.org/view.php?id=CVE-2024-35189
30 May 2024 — Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic ... • https://cloud.google.com/iam/docs/key-rotation • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34715 – Partial Password Exposure Vulnerability in Fides Webserver Logs
https://notcve.org/view.php?id=CVE-2024-34715
29 May 2024 — Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to... • https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords • CWE-116: Improper Encoding or Escaping of Output CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48224 – Cryptographically Weak Generation of One-Time Codes for Identity Verification in ethyca-fides
https://notcve.org/view.php?id=CVE-2023-48224
15 Nov 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modif... • https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47114 – Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages
https://notcve.org/view.php?id=CVE-2023-47114
08 Nov 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data su... • https://github.com/ethyca/fides/commit/50360a0e24aac858459806bb140bb1c4b71e67a1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46124 – Server-Side Request Forgery Vulnerability in Custom Integration Upload
https://notcve.org/view.php?id=CVE-2023-46124
24 Oct 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the envi... • https://github.com/ethyca/fides/commit/cd344d016b1441662a61d0759e7913e8228ed1ee • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46125 – Fides Information Disclosure Vulnerability in Config API Endpoint
https://notcve.org/view.php?id=CVE-2023-46125
24 Oct 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructur... • https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46126 – Fides JavaScript Injection Vulnerability in Privacy Center URL
https://notcve.org/view.php?id=CVE-2023-46126
24 Oct 2023 — Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy URL which triggers JavaScript execution when the privacy notice is served by an integrated website. The domain scope of the executed JavaScript is that of the ... • https://github.com/ethyca/fides/commit/3231d19699f9c895c986f6a967a64d882769c506 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •