ethyca-fides@2.68.1b4 vulnerabilities

Open-source ecosystem for data privacy as code.

  • latest version

    2.71.1

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    2 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the ethyca-fides package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Brute Force

    ethyca-fides is an Open-source ecosystem for data privacy as code.

    Affected versions of this package are vulnerable to Brute Force via insufficient protections on the authentication process. An attacker can gain unauthorized access to user accounts by performing automated credential testing attacks, such as credential stuffing or password spraying.

    Note:

    This is only exploitable if the attacker possesses valid or commonly used credentials from external breaches.

    How to fix Brute Force?

    Upgrade ethyca-fides to version 2.69.1 or higher.

    [,2.69.1)
    • H
    Missing Authorization

    ethyca-fides is an Open-source ecosystem for data privacy as code.

    Affected versions of this package are vulnerable to Missing Authorization via the OAuth client creation and update process. An attacker can gain unauthorized access to owner-level privileges by assigning arbitrary scopes to OAuth clients without proper authorization checks.

    How to fix Missing Authorization?

    Upgrade ethyca-fides to version 2.69.1 or higher.

    [,2.69.1)
    • M
    Insufficient Session Expiration

    ethyca-fides is an Open-source ecosystem for data privacy as code.

    Affected versions of this package are vulnerable to Insufficient Session Expiration due to the insufficient session management. The authentication system validates tokens based on their cryptographic integrity and expiration time, not against the current password state. An attacker can maintain unauthorized access after a password change by leveraging previously obtained session tokens through methods such as cross-site scripting, session hijacking, malware, or physical device access.

    How to fix Insufficient Session Expiration?

    Upgrade ethyca-fides to version 2.69.1 or higher.

    [,2.69.1)
    • M
    Improper Control of Interaction Frequency

    ethyca-fides is an Open-source ecosystem for data privacy as code.

    Affected versions of this package are vulnerable to Improper Control of Interaction Frequency due to inefficient built-in IP-based rate limiting in environments with CDNs, proxies or load balancers. An attacker can overwhelm the system or degrade service availability by sending excessive requests from multiple clients behind a proxy, CDN, or load balancer, thereby bypassing intended request limits.

    Note:

    This is only exploitable if the deployment relies solely on the built-in rate limiting for protection.

    How to fix Improper Control of Interaction Frequency?

    Upgrade ethyca-fides to version 2.69.1 or higher.

    [,2.69.1)