Skip to main content

Fides CVE-2024-31223

MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2024-07-03 security-advisories@github.com
5.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 03, 2024 - 18:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

Fides is an open-source privacy engineering platform, and SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.

AnalysisAI

Fides is an open-source privacy engineering platform, and SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-497. Fides is an open-source privacy engineering platform, and SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available. Affected products include: Ethyca Fides. Version information: version 2.19.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Fides

View all
CVE-2024-45053 HIGH POC
7.2 Sep 04

Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp

CVE-2024-35189 MEDIUM POC
6.5 May 30

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-38537 CRITICAL
9.8 Jul 02

Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2024-45052 MEDIUM POC
5.3 Sep 04

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e

CVE-2023-48224 CRITICAL
9.1 Nov 15

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-36827 HIGH
7.5 Jul 05

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2024-34715 LOW POC
3.3 May 29

Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co

CVE-2023-46124 HIGH
7.2 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

CVE-2023-41319 HIGH
7.2 Sep 06

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-46125 MEDIUM
6.5 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-47114 MEDIUM
6.1 Nov 08

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti

CVE-2023-46126 MEDIUM
5.4 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

Share

CVE-2024-31223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy