CVE-2024-31223

Published: Jul 3, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.

Vendor	Product	Versions
ethyca	fides	affected `>= 2.19.0, < 2.39.2rc0`

Weaknesses (CWE)

CWE-497

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg

x_refsource_CONFIRM

https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-31223

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References