CVE-2023-46125

Fides Information Disclosure Vulnerability in Config API Endpoint

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.

Fides es una plataforma de ingeniería de privacidad de código abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecución y la aplicación de regulaciones de privacidad en código. La API del servidor web de Fides permite a los usuarios recuperar su configuración utilizando el endpoint `GET api/v1/config`. Los datos de configuración se filtran para suprimir la información de configuración más confidencial antes de devolverla al usuario, pero incluso los datos filtrados contienen información sobre los componentes internos y la infraestructura de backend, como diversas configuraciones, direcciones y puertos de servidores y nombre de usuario de la base de datos. Esta información es útil tanto para usuarios administrativos como para atacantes, por lo que no debe revelarse a usuarios con pocos privilegios. Esta vulnerabilidad permite a los usuarios de la interfaz de usuario de administración con roles inferiores al rol de propietario, por ejemplo, el rol de espectador, recuperar la información de configuración mediante la API. La vulnerabilidad ha sido parcheada en la versión `2.22.1` de Fides.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-16 CVE Reserved
2023-10-24 CVE Published
2024-09-11 CVE Updated
2024-10-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-863: Incorrect Authorization

CAPEC

References (3)

URL	Tag	Source
https://github.com/ethyca/fides/releases/tag/2.22.1	Release Notes
https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06	2023-11-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ethyca Search vendor "Ethyca"		Fides Search vendor "Ethyca" for product "Fides"				< 2.22.1 Search vendor "Ethyca" for product "Fides" and version " < 2.22.1"		-		Affected