Fides
CVE-2024-31223
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Fides is an open-source privacy engineering platform, and SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
AnalysisAI
Fides is an open-source privacy engineering platform, and SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-497. Fides is an open-source privacy engineering platform, and SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available. Affected products include: Ethyca Fides. Version information: version 2.19.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp
Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e
Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today