Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01M3E3LTQ4NzQtMjRxZ84AA9m9

Moderate EPSS: 0.00437% (0.61807 Percentile) EPSS:
Permalink JSON

Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL

Affected Packages Affected Versions Fixed Versions
pypi:ethyca-fides >= 2.19.0, < 2.39.2 2.39.2
0 Dependent packages
0 Dependent repositories
9,799 Downloads last month

Affected Version Ranges

All affected versions

2.19.0, 2.19.1, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.22.0, 2.22.1, 2.23.0, 2.23.1, 2.23.2, 2.23.3, 2.24.0, 2.24.1, 2.25.0, 2.26.0, 2.26.3, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.30.1, 2.31.0, 2.32.0, 2.33.0, 2.33.1, 2.34.0, 2.35.0, 2.35.1, 2.36.0, 2.37.0, 2.38.0, 2.38.1, 2.39.0, 2.39.1

All unaffected versions

1.9.9, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.16.0, 2.17.0, 2.17.1, 2.18.0, 2.39.2, 2.40.0, 2.41.0, 2.42.0, 2.42.1, 2.43.0, 2.43.2, 2.44.0, 2.45.0, 2.45.1, 2.45.2, 2.46.0, 2.46.1, 2.46.2, 2.47.0, 2.47.1, 2.48.0, 2.48.1, 2.48.2, 2.49.0, 2.49.1, 2.50.0, 2.51.0, 2.51.1, 2.51.2, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.55.1, 2.55.2, 2.55.3, 2.55.4, 2.56.0, 2.56.1, 2.56.2, 2.57.0, 2.57.1, 2.58.0, 2.58.1, 2.58.2, 2.59.0, 2.59.1, 2.59.2, 2.60.0, 2.60.1, 2.61.0, 2.61.1, 2.62.0, 2.63.0, 2.63.1, 2.63.2, 2.63.3, 2.64.0, 2.64.1, 2.64.2, 2.65.0, 2.65.1, 2.65.2

SERVER_SIDE_FIDES_API_URL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port.

This vulnerability allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL.

Impact

Disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names.

Patches

The vulnerability has been patched in Fides version 2.39.2. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Proof of Concept

  1. Set the value of the environment variable FIDES_PRIVACY_CENTER__SERVER_SIDE_FIDES_API_URL of your Fides Privacy Center container before start-up to a private value such as https://some.private.domain.name/api/v1 and start the Privacy Center application.

  2. Once the application is up, perform a HTTP GET request of the Privacy Center's main page e.g. https://privacy.example.com . The value of SERVER_SIDE_FIDES_API_URL is returned in the response's body.

~ ❯ curl -s https://privacy.example.com/ | \
grep '__NEXT_DATA__' | \
sed 's/.*<script id="__NEXT_DATA__" type="application\/json">//;s/<\/script>.*//' | \
jq '.props.serverEnvironment.settings.SERVER_SIDE_FIDES_API_URL'
"https://some.private.domain.name/api/v1"
References:

Identifiers

GHSA-53q7-4874-24qg

CVE-2024-31223

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00437

EPSS Percentile: 0.61807

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/ethyca/fides

Date and time

Published

about 1 year ago

Updated

about 1 year ago

API

JSON