cbcvebase.

Ethyca Fides vulnerabilities

22 known vulnerabilities affecting ethyca/fides.

Total CVEs
22
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH8MEDIUM11LOW1

Vulnerabilities

Page 1 of 2
CVE-2024-31223P1MEDIUMCVSS 5.3ExploitedPoC≥ 2.19.0, < 2.39.2v>= 2.19.0, < 2.39.2rc02024-07-03
CVE-2024-31223 [MEDIUM] CWE-497 CVE-2024-31223: Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-si Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. A vulnerabilit
nvd
CVE-2024-38537P3CRITICALCVSS 9.8fixed in 2.39.12024-07-02
CVE-2024-38537 [CRITICAL] CWE-829 CVE-2024-38537: Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to inter Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-
nvd
CVE-2023-48224P3CRITICALCVSS 9.1fixed in 2.24.02023-11-15
CVE-2023-48224 [CRITICAL] CWE-338 CVE-2023-48224: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests al
nvd
CVE-2024-52008P3HIGHCVSS 8.8fixed in 2.50.02024-11-26
CVE-2024-52008 [HIGH] CWE-602 CVE-2024-52008: Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of
nvd
CVE-2023-36827P3HIGHCVSS 7.5fixed in 2.15.12023-07-05
CVE-2023-36827 [HIGH] CWE-22 CVE-2023-36827: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal (directory traversal) vulnerability affects fides versions lower than version `2.15.1`, allowing remote attackers to access arbitrary files on the fides
nvd
CVE-2024-45053P3HIGHCVSS 7.2≥ 2.19.0, < 2.44.0v>= 2.19.0, < 2.44.02024-09-04
CVE-2024-45053 [HIGH] CWE-1336 CVE-2024-45053: Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to versio Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to a
nvd
CVE-2023-41319P3HIGHCVSS 7.2≥ 2.11.0, < 2.19.0v>= 2.11.0, < 2.19.02023-09-06
CVE-2023-41319 [HIGH] CWE-94 CVE-2023-41319: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the in
nvd
CVE-2025-57817P3HIGHCVSS 7.2fixed in 2.69.12025-09-08
CVE-2025-57817 [HIGH] CWE-862 CVE-2025-57817: Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client crea Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes th
nvd
CVE-2023-46124P3HIGHCVSS 7.2fixed in 2.22.12023-10-25
CVE-2023-46124 [HIGH] CWE-918 CVE-2023-46124: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, and the enforcement of privacy regulations in code. The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered tha
nvd
CVE-2025-57816P3HIGHCVSS 7.5fixed in 2.69.12025-09-08
CVE-2025-57816 [HIGH] CWE-799 CVE-2025-57816: Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver A Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rat
nvd
CVE-2026-44541P3HIGHCVSS 7.0v>= 2.33.0, < 2.84.52026-06-08
CVE-2026-44541 [HIGH] CWE-79 CVE-2026-44541: Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.
nvd
CVE-2025-57815P3MEDIUMCVSS 6.5fixed in 2.69.12025-09-08
CVE-2025-57815 [MEDIUM] CWE-307 CVE-2025-57815: Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI lo Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential
nvd
CVE-2023-46125P3MEDIUMCVSS 6.5fixed in 2.22.12023-10-25
CVE-2023-46125 [MEDIUM] CWE-200 CVE-2023-46125: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensiti
nvd
CVE-2024-35189P3MEDIUMCVSS 6.5fixed in 2.37.02024-05-30
CVE-2024-35189 [MEDIUM] CWE-200 CVE-2024-35189: Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints Fides is an open-source privacy engineering platform. The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain sensitive data (e.g. passwords, private keys, etc.). These `secrets` are stored encrypted at rest (in the application database), and the associated endpo
nvd
CVE-2026-42303P3MEDIUMCVSS 6.1v>= 2.75.0, < 2.83.22026-05-12
CVE-2026-42303 [MEDIUM] CWE-288 CVE-2026-42303: Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployment Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result i
nvd
CVE-2023-47114P4MEDIUMCVSS 6.1≥ 2.15.1, < 2.23.3v>= 2.15.1, < 2.23.32023-11-08
CVE-2023-47114 [MEDIUM] CWE-79 CVE-2023-47114: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating
nvd
CVE-2024-45052P4MEDIUMCVSS 5.3fixed in 2.44.02024-09-04
CVE-2024-45052 [MEDIUM] CWE-208 CVE-2024-45052: Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based userna Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The
nvd
CVE-2025-57766P4MEDIUMCVSS 4.8fixed in 2.69.12025-09-08
CVE-2025-57766 [MEDIUM] CWE-613 CVE-2025-57766: Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user passwor Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This is
nvd
CVE-2023-46126P4MEDIUMCVSS 5.4fixed in 2.22.12023-10-25
CVE-2023-46126 [MEDIUM] CWE-79 CVE-2023-46126: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy re Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime environments, helping enforce privacy regulations in code. The Fides web application allows users to edit consent and privacy notices such as cookie banners. The vulnerability makes it possible to craft a payload in the privacy policy
nvd
CVE-2023-37480P4MEDIUMCVSS 4.9≥ 2.11.0, < 2.16.0v>= 2.11.0, < 2.16.02023-07-18
CVE-2023-37480 [MEDIUM] CWE-400 CVE-2023-37480: Fides is an open-source privacy engineering platform for managing data privacy requests and privacy Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unav
nvd
Ethyca Fides vulnerabilities | cvebase