CVE-2023-46125

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06	Patch
https://github.com/ethyca/fides/releases/tag/2.22.1	Release Notes
https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89	Third Party Advisory
https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06	Patch
https://github.com/ethyca/fides/releases/tag/2.22.1	Release Notes
https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-25 18:17

Updated : 2024-11-21 08:27

NVD link : CVE-2023-46125

Mitre link : CVE-2023-46125

CVE.ORG link : CVE-2023-46125

JSON object : View

Products Affected

ethyca

fides

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-863

Incorrect Authorization

{"id": "CVE-2023-46125", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-10-25T18:17:36.470", "references": [{"url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethyca/fides/releases/tag/2.22.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ethyca/fides/releases/tag/2.22.1", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers\u2019 addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. "}, {"lang": "es", "value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. La API del servidor web de Fides permite a los usuarios recuperar su configuraci\u00f3n utilizando el endpoint `GET api/v1/config`. Los datos de configuraci\u00f3n se filtran para suprimir la informaci\u00f3n de configuraci\u00f3n m\u00e1s confidencial antes de devolverla al usuario, pero incluso los datos filtrados contienen informaci\u00f3n sobre los componentes internos y la infraestructura de backend, como diversas configuraciones, direcciones y puertos de servidores y nombre de usuario de la base de datos. Esta informaci\u00f3n es \u00fatil tanto para usuarios administrativos como para atacantes, por lo que no debe revelarse a usuarios con pocos privilegios. Esta vulnerabilidad permite a los usuarios de la interfaz de usuario de administraci\u00f3n con roles inferiores al rol de propietario, por ejemplo, el rol de espectador, recuperar la informaci\u00f3n de configuraci\u00f3n mediante la API. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.22.1` de Fides."}], "lastModified": "2024-11-21T08:27:55.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA76F207-3012-48FE-AAB5-9B061A5AE996", "versionEndExcluding": "2.22.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

6.5 /10