Homepage

Exposure of Sensitive Information to an Unauthorized Actor Affecting ethyca-fides package, versions [2.19.0,2.39.2)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-ETHYCAFIDES-7430191
  • published7 Jul 2024
  • disclosed5 Jul 2024
  • creditRobertKeyser
Report a new vulnerability Found a mistake?

Introduced: 5 Jul 2024

CVE-2024-31223  (opens in a new tab)
CWE-497  (opens in a new tab)

How to fix?

Upgrade ethyca-fides to version 2.39.2 or higher.

Overview

ethyca-fides is an Open-source ecosystem for data privacy as code.

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor through the SERVER_SIDE_FIDES_API_URL environment variable. An attacker can obtain sensitive server-side configuration details by making an unauthorized HTTP GET request.

PoC

  1. Set the value of the environment variable FIDES_PRIVACY_CENTER__SERVER_SIDE_FIDES_API_URL of your Fides Privacy Center container before start-up to a private value such as https://some.private.domain.name/api/v1 and start the Privacy Center application

  2. Once the application is up, perform a HTTP GET request of the Privacy Center's main page e.g. https://privacy.example.com . The value of SERVER_SIDE_FIDES_API_URL is returned in the response's body.

curl -s https://privacy.example.com/ | \
grep '__NEXT_DATA__' | \
sed 's/.*<script id="__NEXT_DATA__" type="application\/json">//;s/<\/script>.*//' | \
jq '.props.serverEnvironment.settings.SERVER_SIDE_FIDES_API_URL'
"https://some.private.domain.name/api/v1"

CVSS Scores

version 4.0
version 3.1