CVE-2023-46125
published 2023-10-25CVE-2023-46125: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.72%
49.3th percentile
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethyca | fides | < 2.22.1 | 2.22.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fides Information Disclosure Vulnerability in Config API Endpoint
osv·2023-10-24
CVE-2023-46125 [MEDIUM] Fides Information Disclosure Vulnerability in Config API Endpoint
Fides Information Disclosure Vulnerability in Config API Endpoint
### Impact
The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users.
This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API.
### Patches
The vulnerability has
GHSA
Fides Information Disclosure Vulnerability in Config API Endpoint
ghsa·2023-10-24
CVE-2023-46125 [MEDIUM] CWE-200 Fides Information Disclosure Vulnerability in Config API Endpoint
Fides Information Disclosure Vulnerability in Config API Endpoint
### Impact
The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users.
This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API.
### Patches
The vulnerability has
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06https://github.com/ethyca/fides/releases/tag/2.22.1https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06https://github.com/ethyca/fides/releases/tag/2.22.1https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89
2023-10-25
Published