GSA_kwCzR0hTQS01M3E3LTQ4NzQtMjRxZ84AA9m9

Moderate CVSS: 5.3 EPSS: 0.06586% (0.90867 Percentile) EPSS:

Permalink JSON

Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL

Affected Packages	Affected Versions	Fixed Versions
pypi:ethyca-fides PURL: `pkg:pypi/ethyca-fides`	>= 2.19.0, < 2.39.2	2.39.2
0 Dependent packages 0 Dependent repositories 26,578 Downloads last month Affected Version Ranges All affected versions 2.19.0, 2.19.0rc6, 2.19.0rc7, 2.19.0rc8, 2.19.0rc10, 2.19.1, 2.19.1b0, 2.19.1rc1, 2.19.1rc2, 2.19.2b0, 2.19.2b1, 2.19.2b2, 2.20.0, 2.20.0rc0, 2.20.0rc1, 2.20.0rc2, 2.20.0rc3, 2.20.0rc4, 2.20.0rc5, 2.20.0rc6, 2.20.0rc7, 2.20.1, 2.20.1b0, 2.20.1b1, 2.20.1b2, 2.20.1b3, 2.20.1rc0, 2.20.2, 2.20.2b0, 2.20.2rc0, 2.20.3b0, 2.20.3b1, 2.20.3b2, 2.21.0, 2.21.0rc0, 2.21.0rc1, 2.21.0rc2, 2.21.0rc3, 2.21.0rc4, 2.21.0rc5, 2.21.1b0, 2.21.1b2, 2.21.1b3, 2.22.0, 2.22.0rc0, 2.22.0rc1, 2.22.0rc2, 2.22.0rc3, 2.22.0rc4, 2.22.0rc5, 2.22.1, 2.22.1b0, 2.22.1b1, 2.22.1b2, 2.22.1b3, 2.22.1rc0, 2.22.1rc1, 2.22.2b0, 2.22.2b1, 2.22.2b2, 2.22.2b3, 2.23.0, 2.23.0rc0, 2.23.0rc1, 2.23.0rc2, 2.23.0rc3, 2.23.0rc4, 2.23.0rc5, 2.23.0rc6, 2.23.0rc7, 2.23.1, 2.23.1b0, 2.23.1rc0, 2.23.2, 2.23.2b0, 2.23.3, 2.23.3b0, 2.23.3b1, 2.23.3b3, 2.23.3rc0, 2.23.3rc1, 2.23.3rc2, 2.24.0, 2.24.0rc0, 2.24.0rc2, 2.24.0rc3, 2.24.0rc4, 2.24.0rc5, 2.24.0rc6, 2.24.0rc7, 2.24.0rc8, 2.24.0rc9, 2.24.1, 2.24.1b0, 2.24.1b1, 2.24.1rc0, 2.24.1rc1, 2.24.2b0, 2.24.2b1, 2.25.0, 2.25.0rc0, 2.25.1b0, 2.25.1b1, 2.25.1b2, 2.25.1b3, 2.25.1b4, 2.26.0, 2.26.0rc0, 2.26.0rc1, 2.26.0rc2, 2.26.0rc3, 2.26.0rc4, 2.26.0rc5, 2.26.0rc6, 2.26.0rc7, 2.26.0rc8, 2.26.0rc9, 2.26.1b0, 2.26.1b1, 2.26.3, 2.27.0, 2.27.0rc0, 2.27.0rc1, 2.27.0rc2, 2.27.0rc3, 2.27.0rc4, 2.27.0rc5, 2.27.0rc6, 2.27.0rc7, 2.27.0rc8, 2.27.0rc9, 2.27.1b0, 2.27.1b1, 2.28.0, 2.28.0rc0, 2.28.0rc1, 2.28.0rc2, 2.28.0rc3, 2.28.0rc4, 2.28.0rc5, 2.28.1a5, 2.28.1b0, 2.28.1b1, 2.29.0, 2.29.0rc0, 2.29.0rc1, 2.29.0rc2, 2.29.0rc3, 2.29.0rc4, 2.29.1b0, 2.29.1b1, 2.30.0, 2.30.0rc0, 2.30.0rc1, 2.30.0rc2, 2.30.1, 2.30.1b0, 2.30.1rc0, 2.30.2b0, 2.30.2b1, 2.31.0, 2.31.0rc0, 2.31.0rc1, 2.31.0rc2, 2.31.0rc3, 2.31.1b0, 2.31.1b2, 2.32.0, 2.32.0rc0, 2.32.0rc1, 2.32.0rc2, 2.32.0rc3, 2.32.1b1, 2.32.1b2, 2.33.0, 2.33.0rc0, 2.33.0rc1, 2.33.0rc2, 2.33.0rc3, 2.33.1, 2.33.1b0, 2.33.1rc0, 2.33.2a0, 2.33.2b0, 2.34.0, 2.34.0rc0, 2.34.0rc1, 2.34.0rc2, 2.34.0rc3, 2.34.0rc4, 2.34.0rc5, 2.34.1a0, 2.34.1b0, 2.34.1rc1, 2.34.2b0, 2.34.2b1, 2.34.2b2, 2.34.2b3, 2.35.0, 2.35.0rc0, 2.35.0rc1, 2.35.0rc2, 2.35.1, 2.35.1rc0, 2.35.2b0, 2.35.2b1, 2.36.0, 2.36.0rc0, 2.36.0rc1, 2.36.1a0, 2.36.1b0, 2.36.1rc1, 2.36.1rc2, 2.36.1rc3, 2.36.1rc4, 2.36.2b0, 2.36.2b1, 2.36.2b2, 2.36.2b3, 2.36.2b4, 2.36.2b5, 2.37.0, 2.37.0rc0, 2.37.0rc1, 2.37.0rc2, 2.37.0rc3, 2.37.0rc4, 2.37.1b0, 2.37.1b1, 2.37.1b2, 2.37.1b3, 2.37.1b4, 2.38.0, 2.38.0rc0, 2.38.0rc1, 2.38.1, 2.38.1b0, 2.38.1b1, 2.38.1rc0, 2.38.1rc1, 2.38.2b0, 2.38.2b1, 2.38.2b2, 2.39.0, 2.39.0rc0, 2.39.0rc1, 2.39.0rc2, 2.39.1, 2.39.1b0, 2.39.1rc0 All unaffected versions 1.9.9, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1b2, 2.10.1b3, 2.11.0, 2.11.1b0, 2.11.1b1, 2.11.1b2, 2.11.1b3, 2.11.1b4, 2.11.1b5, 2.11.1b6, 2.12.0, 2.12.1, 2.12.1b0, 2.12.1b1, 2.12.1b2, 2.12.1b3, 2.12.1b4, 2.12.2b0, 2.12.2b1, 2.12.2b2, 2.13.0, 2.13.1b0, 2.13.1b1, 2.13.1b2, 2.14.0, 2.14.1, 2.14.1b0, 2.14.1b1, 2.14.1b2, 2.14.2, 2.14.2b0, 2.14.3b0, 2.15.0, 2.15.1, 2.15.1b0, 2.15.1b1, 2.15.2b0, 2.16.0, 2.16.1b0, 2.16.1b1, 2.17.0, 2.17.1, 2.17.1b0, 2.18.0, 2.18.1b0, 2.18.1b1, 2.18.1b2, 2.18.1b4, 2.18.1b5, 2.18.1b6, 2.18.1b7, 2.39.2, 2.39.2b0, 2.39.2rc0, 2.40.0, 2.40.0rc0, 2.40.0rc1, 2.40.0rc2, 2.40.1b0, 2.40.1b1, 2.41.0, 2.41.0rc0, 2.41.0rc1, 2.41.0rc2, 2.41.0rc3, 2.41.0rc4, 2.41.1a1, 2.41.1b0, 2.41.1b1, 2.41.1b2, 2.41.1b3, 2.41.1b4, 2.42.0, 2.42.0rc0, 2.42.0rc1, 2.42.0rc2, 2.42.1, 2.42.1b0, 2.42.1rc0, 2.42.1rc1, 2.42.2b0, 2.42.2b3, 2.42.2b4, 2.43.0, 2.43.0rc0, 2.43.0rc1, 2.43.1b0, 2.43.1rc0, 2.43.2, 2.43.3b0, 2.43.3b1, 2.43.3b2, 2.44.0, 2.44.0rc0, 2.44.0rc1, 2.44.0rc2, 2.44.0rc3, 2.44.0rc4, 2.44.0rc5, 2.44.1b0, 2.44.1b1, 2.44.1b2, 2.44.1b3, 2.44.1b4, 2.44.1b5, 2.44.1b6, 2.45.0, 2.45.0rc0, 2.45.0rc1, 2.45.0rc2, 2.45.0rc3, 2.45.0rc4, 2.45.1, 2.45.1b0, 2.45.1rc0, 2.45.2, 2.45.2rc0, 2.45.3b0, 2.45.3b1, 2.45.3b2, 2.45.3b3, 2.45.3b4, 2.46.0, 2.46.0rc0, 2.46.0rc1, 2.46.1, 2.46.1b0, 2.46.1b4, 2.46.1rc0, 2.46.2, 2.46.2b0, 2.46.2rc0, 2.46.2rc1, 2.46.2rc2, 2.46.3b0, 2.46.3b1, 2.47.0, 2.47.0rc0, 2.47.0rc1, 2.47.0rc2, 2.47.0rc3, 2.47.0rc4, 2.47.1, 2.47.1b0, 2.47.1rc0, 2.47.1rc1, 2.47.2b0, 2.47.2b1, 2.47.2b2, 2.47.2b3, 2.48.0, 2.48.0rc0, 2.48.0rc1, 2.48.0rc2, 2.48.0rc3, 2.48.0rc4, 2.48.1, 2.48.1b0, 2.48.1b1, 2.48.1rc0, 2.48.2, 2.48.2b0, 2.48.2rc0, 2.49.0, 2.49.0rc0, 2.49.1, 2.49.1rc0, 2.49.1rc1, 2.49.1rc2, 2.49.1rc3, 2.49.1rc4, 2.49.1rc5, 2.49.2b0, 2.50.0, 2.50.0rc0, 2.50.0rc1, 2.50.0rc2, 2.50.0rc3, 2.50.0rc5, 2.50.1b0, 2.51.0, 2.51.0rc0, 2.51.0rc1, 2.51.0rc2, 2.51.1, 2.51.1b0, 2.51.1rc0, 2.51.1rc1, 2.51.1rc2, 2.51.2, 2.51.2rc0, 2.51.3b0, 2.51.3b1, 2.51.3b2, 2.52.0, 2.52.0rc0, 2.52.0rc1, 2.52.0rc2, 2.52.0rc3, 2.52.0rc4, 2.52.1b0, 2.52.1b1, 2.52.1b2, 2.53.0, 2.53.0rc0, 2.53.0rc1, 2.53.1b0, 2.53.1b1, 2.54.0, 2.54.0rc0, 2.54.1b0, 2.54.1b1, 2.54.1b2, 2.54.1b3, 2.54.1b5, 2.54.1b6, 2.55.0, 2.55.0rc0, 2.55.0rc1, 2.55.0rc2, 2.55.0rc3, 2.55.0rc4, 2.55.0rc5, 2.55.1, 2.55.1b0, 2.55.1b1, 2.55.1b2, 2.55.1b3, 2.55.1rc0, 2.55.2, 2.55.2rc0, 2.55.3, 2.55.3b0, 2.55.3b1, 2.55.3rc0, 2.55.4, 2.55.4rc0, 2.55.5b0, 2.55.5b1, 2.55.5b2, 2.56.0, 2.56.0rc0, 2.56.0rc1, 2.56.0rc2, 2.56.0rc3, 2.56.0rc4, 2.56.0rc5, 2.56.1, 2.56.1b0, 2.56.1b1, 2.56.1b2, 2.56.1b3, 2.56.1rc0, 2.56.1rc3, 2.56.2, 2.56.2b0, 2.56.2b1, 2.56.2rc0, 2.56.2rc1, 2.56.2rc2, 2.56.2rc3, 2.56.3b0, 2.56.3b1, 2.56.3b2, 2.57.0, 2.57.0rc0, 2.57.0rc1, 2.57.0rc2, 2.57.1, 2.57.1b0, 2.57.1b1, 2.57.1b2, 2.57.1b3, 2.57.1b4, 2.57.1b5, 2.57.1b6, 2.57.1b7, 2.57.1b8, 2.57.1b9, 2.57.1rc0, 2.57.2b0, 2.58.0, 2.58.0rc0, 2.58.0rc1, 2.58.0rc2, 2.58.0rc3, 2.58.1, 2.58.1b0, 2.58.1b1, 2.58.1b2, 2.58.1b3, 2.58.1b4, 2.58.1b5, 2.58.1rc0, 2.58.2, 2.58.2b0, 2.58.2b1, 2.58.2b2, 2.58.2b3, 2.58.2b5, 2.58.2rc0, 2.58.3b0, 2.58.3b1, 2.58.3b2, 2.59.0, 2.59.0rc0, 2.59.0rc1, 2.59.1, 2.59.1b0, 2.59.1rc0, 2.59.2, 2.59.2b0, 2.59.2b1, 2.59.2b2, 2.59.2b3, 2.59.2rc0, 2.59.2rc1, 2.59.3b0, 2.60.0, 2.60.0rc0, 2.60.0rc1, 2.60.0rc2, 2.60.0rc3, 2.60.0rc4, 2.60.0rc5, 2.60.1, 2.60.1b0, 2.60.1b1, 2.60.1b2, 2.60.1rc0, 2.60.2b0, 2.60.2b1, 2.61.0, 2.61.0rc0, 2.61.0rc1, 2.61.0rc2, 2.61.0rc3, 2.61.1, 2.61.1b0, 2.61.1b1, 2.61.1b2, 2.61.1b3, 2.61.1rc0, 2.61.2b0, 2.61.2b1, 2.61.2b2, 2.61.2b3, 2.61.2b4, 2.62.0, 2.62.0rc0, 2.62.1b0, 2.62.1b1, 2.62.1b2, 2.62.1b3, 2.62.1rc0, 2.62.1rc1, 2.62.1rc2, 2.63.0, 2.63.0rc0, 2.63.0rc1, 2.63.0rc2, 2.63.0rc3, 2.63.1, 2.63.1b0, 2.63.1b1, 2.63.1b3, 2.63.1b4, 2.63.1rc0, 2.63.1rc2, 2.63.2, 2.63.2rc0, 2.63.2rc1, 2.63.3, 2.63.3b0, 2.63.3rc0, 2.63.5rc0, 2.63.5rc1, 2.63.5rc2, 2.64.0, 2.64.0rc0, 2.64.0rc1, 2.64.1, 2.64.1b0, 2.64.1b1, 2.64.1b2, 2.64.1rc0, 2.64.2, 2.64.2b0, 2.64.2rc0, 2.64.3b0, 2.64.5rc1, 2.64.5rc3, 2.64.5rc4, 2.64.5rc5, 2.64.6b0, 2.64.6b1, 2.64.6b2, 2.65.0, 2.65.0rc0, 2.65.0rc1, 2.65.0rc2, 2.65.0rc3, 2.65.0rc4, 2.65.0rc5, 2.65.0rc6, 2.65.0rc7, 2.65.0rc8, 2.65.0rc9, 2.65.0rc10, 2.65.0rc11, 2.65.1, 2.65.1b0, 2.65.1b1, 2.65.1b2, 2.65.1rc0, 2.65.2, 2.65.2rc0, 2.65.2rc1, 2.65.2rc2, 2.65.3b0, 2.65.3b1, 2.65.3b2, 2.65.3b3, 2.66.0, 2.66.0rc0, 2.66.0rc1, 2.66.1, 2.66.1b0, 2.66.1b1, 2.66.1rc0, 2.66.2, 2.66.2b0, 2.66.2b1, 2.66.2b2, 2.66.2rc0, 2.66.3b0, 2.67.0, 2.67.0rc0, 2.67.0rc1, 2.67.0rc2, 2.67.0rc3, 2.67.0rc4, 2.67.0rc5, 2.67.1, 2.67.1b0, 2.67.1b1, 2.67.1rc0, 2.67.1rc1, 2.67.2, 2.67.2b0, 2.67.2b1, 2.67.2b2, 2.67.2b3, 2.67.2rc0, 2.67.3b0, 2.67.3b1, 2.68.0, 2.68.0rc0, 2.68.0rc1, 2.68.0rc2, 2.68.0rc3, 2.68.0rc4, 2.68.0rc5, 2.68.1b0, 2.68.1b1, 2.68.1b2, 2.68.1b3, 2.68.1b4, 2.69.0, 2.69.0rc0, 2.69.0rc1, 2.69.0rc2, 2.69.0rc3, 2.69.0rc4, 2.69.0rc5, 2.69.0rc6, 2.69.0rc7, 2.69.0rc8, 2.69.0rc9, 2.69.0rc10, 2.69.1, 2.69.1b0, 2.69.1b1, 2.69.1b2, 2.69.1rc0, 2.69.1rc1, 2.69.2, 2.69.2b0, 2.69.2rc0, 2.69.2rc1, 2.69.2rc2, 2.69.3b0, 2.69.3b1, 2.69.3b2, 2.70.0, 2.70.0rc0, 2.70.0rc1, 2.70.0rc2, 2.70.0rc3, 2.70.0rc4, 2.70.0rc5, 2.70.0rc6, 2.70.1, 2.70.1b0, 2.70.1b1, 2.70.1rc0, 2.70.1rc3, 2.70.2, 2.70.2rc0, 2.70.3, 2.70.3b0, 2.70.3rc0, 2.70.4, 2.70.4b0, 2.70.4rc0, 2.70.5, 2.70.5b0, 2.70.5rc0, 2.70.6rc0, 2.71.0, 2.71.0rc0, 2.71.0rc1, 2.71.0rc2, 2.71.0rc3, 2.71.0rc4, 2.71.1, 2.71.1b0, 2.71.1b1, 2.71.1rc0, 2.71.1rc1, 2.71.1rc2, 2.71.2b0, 2.72.0, 2.72.0rc0, 2.72.0rc1, 2.72.0rc2, 2.72.0rc3, 2.72.0rc4, 2.72.1, 2.72.1b0, 2.72.1rc0, 2.72.2, 2.72.2rc0, 2.72.3, 2.72.3b0, 2.72.3rc0, 2.72.3rc1, 2.72.4b1, 2.73.0, 2.73.0rc0, 2.73.0rc1, 2.73.0rc2, 2.73.0rc3, 2.73.0rc4, 2.73.1, 2.73.1b0, 2.73.1rc0, 2.73.1rc1, 2.73.1rc2, 2.73.2b0, 2.73.2b1, 2.74.0, 2.74.0rc0, 2.74.0rc1, 2.74.0rc2, 2.74.1, 2.74.1b0, 2.74.1rc0, 2.74.2, 2.74.2b0, 2.74.2rc0, 2.74.3, 2.74.3b0, 2.74.3rc0, 2.74.3rc1, 2.75.0, 2.75.0rc0, 2.75.0rc1, 2.75.0rc2, 2.75.0rc3, 2.75.0rc4, 2.75.1, 2.75.1rc0, 2.75.2, 2.75.2rc0, 2.75.3b0, 2.76.0, 2.76.0rc0, 2.76.0rc1, 2.76.0rc2, 2.76.0rc3, 2.76.1, 2.76.1rc0, 2.76.1rc1, 2.76.2a10, 2.76.2a12, 2.77.0, 2.77.0rc0, 2.77.0rc2, 2.77.0rc3, 2.77.0rc4, 2.77.0rc5, 2.77.0rc6, 2.77.0rc7, 2.77.1, 2.77.1a0, 2.77.1rc0, 2.77.1rc1, 2.77.2a0, 2.77.2a1, 2.77.2a2, 2.77.2a3, 2.77.2b0, 2.77.2b1

SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port.

This vulnerability allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL.

Impact

Disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names.

Patches

The vulnerability has been patched in Fides version 2.39.2. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Proof of Concept

Set the value of the environment variable FIDES_PRIVACY_CENTER__SERVER_SIDE_FIDES_API_URL of your Fides Privacy Center container before start-up to a private value such as https://some.private.domain.name/api/v1 and start the Privacy Center application.
Once the application is up, perform a HTTP GET request of the Privacy Center's main page e.g. https://privacy.example.com . The value of SERVER_SIDE_FIDES_API_URL is returned in the response's body.

~ ❯ curl -s https://privacy.example.com/ | \
grep '__NEXT_DATA__' | \
sed 's/.*<script id="__NEXT_DATA__" type="application\/json">//;s/<\/script>.*//' | \
jq '.props.serverEnvironment.settings.SERVER_SIDE_FIDES_API_URL'
"https://some.private.domain.name/api/v1"

References:

Identifiers

GHSA-53q7-4874-24qg

CVE-2024-31223

Risk

Severity

Moderate

CVSS

CVSS Score: 5.3

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

EPSS Percentage: 0.06586

EPSS Percentile: 0.90867

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ethyca/fides
View on Ecosyste.ms

Date and time

Published

over 1 year ago

Updated

3 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories