Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01M3E3LTQ4NzQtMjRxZ84AA9m9
Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port.
This vulnerability allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL.
Impact
Disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names.
Patches
The vulnerability has been patched in Fides version 2.39.2. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
There are no workarounds.
Proof of Concept
-
Set the value of the environment variable
FIDES_PRIVACY_CENTER__SERVER_SIDE_FIDES_API_URLof your Fides Privacy Center container before start-up to a private value such ashttps://some.private.domain.name/api/v1and start the Privacy Center application. -
Once the application is up, perform a HTTP GET request of the Privacy Center's main page e.g.
https://privacy.example.com. The value ofSERVER_SIDE_FIDES_API_URLis returned in the response's body.
~ ❯ curl -s https://privacy.example.com/ | \
grep '__NEXT_DATA__' | \
sed 's/.*<script id="__NEXT_DATA__" type="application\/json">//;s/<\/script>.*//' | \
jq '.props.serverEnvironment.settings.SERVER_SIDE_FIDES_API_URL'
"https://some.private.domain.name/api/v1"
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01M3E3LTQ4NzQtMjRxZ84AA9m9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-53q7-4874-24qg, CVE-2024-31223
References:
- https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg
- https://nvd.nist.gov/vuln/detail/CVE-2024-31223
- https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097
- https://github.com/ethyca/fides/commit/cd510216b281de5443ec1c126add95cc5be0970a
- https://github.com/advisories/GHSA-53q7-4874-24qg
Blast Radius: 1.0
Affected Packages
pypi:ethyca-fides
Dependent packages: 0Dependent repositories: 0
Downloads: 16,530 last month
Affected Version Ranges: >= 2.19.0, < 2.39.2
Fixed in: 2.39.2
All affected versions: 2.19.0, 2.19.1, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.22.0, 2.22.1, 2.23.0, 2.23.1, 2.23.2, 2.23.3, 2.24.0, 2.24.1, 2.25.0, 2.26.0, 2.26.3, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.30.1, 2.31.0, 2.32.0, 2.33.0, 2.33.1, 2.34.0, 2.35.0, 2.35.1, 2.36.0, 2.37.0, 2.38.0, 2.38.1, 2.39.0, 2.39.1
All unaffected versions: 1.9.9, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.16.0, 2.17.0, 2.17.1, 2.18.0, 2.39.2, 2.40.0, 2.41.0, 2.42.0, 2.42.1, 2.43.0