Skip to main content

Fides CVE-2024-38537

CRITICAL
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2024-07-02 security-advisories@github.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 02, 2024 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving fides.js to download and execute malicious scripts from the polyfill.io domain when the domain was compromised and serving malware. No exploitation of fides.js via polyfill.io has been identified as of time of publication.

The vulnerability has been patched in Fides version 2.39.1. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.

AnalysisAI

Fides is an open-source privacy engineering platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-829. Fides is an open-source privacy engineering platform. fides.js, a client-side script used to interact with the consent management features of Fides, used the polyfill.io domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving fides.js to download and execute malicious scripts from the polyfill.io domain when the domain was compromised and serving malware. No exploitation of fides.js via polyfill.io has been identified as of time of publication. The vulnerability has been patched in Fides version 2.39.1. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure polyfill.io and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. Affected products include: Ethyca Fides.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Fides

View all
CVE-2024-45053 HIGH POC
7.2 Sep 04

Fides is an open-source privacy engineering platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exp

CVE-2024-35189 MEDIUM POC
6.5 May 30

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-45052 MEDIUM POC
5.3 Sep 04

Fides is an open-source privacy engineering platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely e

CVE-2024-31223 MEDIUM POC
5.3 Jul 03

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration env

CVE-2023-48224 CRITICAL
9.1 Nov 15

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-36827 HIGH
7.5 Jul 05

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2024-34715 LOW POC
3.3 May 29

Fides is an open-source privacy engineering platform. Rated low severity (CVSS 3.3), this vulnerability is low attack co

CVE-2023-46124 HIGH
7.2 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

CVE-2023-41319 HIGH
7.2 Sep 06

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-46125 MEDIUM
6.5 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime

CVE-2023-47114 MEDIUM
6.1 Nov 08

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runti

CVE-2023-46126 MEDIUM
5.4 Oct 25

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime en

Share

CVE-2024-38537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy