Skip to main content

Fides CVE-2023-46125

MEDIUM
Information Exposure (CWE-200)
2023-10-25 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 25, 2023 - 18:17 nvd
MEDIUM 6.5

DescriptionNVD

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the GET api/v1/config endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version 2.22.1.

AnalysisAI

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the GET api/v1/config endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version 2.22.1. Affected products include: Ethyca Fides.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Fides

View all
CVE-2024-45053 HIGH POC
7.2 Sep 04

Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp

CVE-2024-35189 MEDIUM POC
6.5 May 30

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-38537 CRITICAL
9.8 Jul 02

Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2024-45052 MEDIUM POC
5.3 Sep 04

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e

CVE-2024-31223 MEDIUM POC
5.3 Jul 03

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration env

CVE-2023-48224 CRITICAL
9.1 Nov 15

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-36827 HIGH
7.5 Jul 05

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2024-34715 LOW POC
3.3 May 29

Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co

CVE-2023-46124 HIGH
7.2 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

CVE-2023-41319 HIGH
7.2 Sep 06

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-47114 MEDIUM
6.1 Nov 08

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti

CVE-2023-46126 MEDIUM
5.4 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

Share

CVE-2023-46125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy