Fides
CVE-2024-35189
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve ConnectionConfiguration records and their associated secrets which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These secrets are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (sensitive) that they can annotate as True to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses sensitive annotations to mask the sensitive fields with a "**" placeholder value. This vulnerability is due to a bug in that function, which prevented sensitive API model fields that were _nested_ below the root-level of a secrets object from being masked appropriately. Only the BigQuery connection configuration secrets meets these criteria: the secrets schema has a nested sensitive keyfile_creds.private_key property that is exposed in plaintext via the APIs. Connection types other than BigQuery with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability.
AnalysisAI
Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve ConnectionConfiguration records and their associated secrets which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These secrets are stored encrypted at rest (in the application database), and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients, as it could be compromising. Fides's developers have available to them a Pydantic field-attribute (sensitive) that they can annotate as True to indicate that a given secret field should not be exposed via the API. The application has an internal function that uses sensitive annotations to mask the sensitive fields with a "**" placeholder value. This vulnerability is due to a bug in that function, which prevented sensitive API model fields that were _nested_ below the root-level of a secrets object from being masked appropriately. Only the BigQuery connection configuration secrets meets these criteria: the secrets schema has a nested sensitive keyfile_creds.private_key property that is exposed in plaintext via the APIs. Connection types other than BigQuery with sensitive fields at the root-level that are not nested are properly masked with the placeholder and are not affected by this vulnerability. This vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. Users are also advised to rotate any Google Cloud secrets used for BigQuery integrations in their Fides deployments. There are no known workarounds for this vulnerability. Affected products include: Ethyca Fides. Version information: version 2.37.0..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp
Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration env
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today