Fides
CVE-2024-38537
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving fides.js to download and execute malicious scripts from the polyfill.io domain when the domain was compromised and serving malware. No exploitation of fides.js via polyfill.io has been identified as of time of publication.
The vulnerability has been patched in Fides version 2.39.1. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
AnalysisAI
Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-829. Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving fides.js to download and execute malicious scripts from the polyfill.io domain when the domain was compromised and serving malware. No exploitation of fides.js via polyfill.io has been identified as of time of publication. The vulnerability has been patched in Fides version 2.39.1. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. Affected products include: Ethyca Fides.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp
Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e
Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration env
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today