CVE-2023-46125 - OpenCVE

Vendors	Products
Ethyca	Fides

Link	Providers
https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06
https://github.com/ethyca/fides/releases/tag/2.22.1
https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-16T17:51:35.572Z", "datePublished": "2023-10-24T22:42:05.651Z", "dateUpdated": "2024-09-11T13:23:33.012Z"}, "containers": {"cna": {"title": "Fides Information Disclosure Vulnerability in Config API Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"}, {"name": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"}, {"name": "https://github.com/ethyca/fides/releases/tag/2.22.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethyca/fides/releases/tag/2.22.1"}], "affected": [{"vendor": "ethyca", "product": "fides", "versions": [{"version": "< 2.22.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-24T22:42:05.651Z"}, "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers\u2019 addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. "}], "source": {"advisory": "GHSA-rjxg-rpg3-9r89", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:39.715Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"}, {"name": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"}, {"name": "https://github.com/ethyca/fides/releases/tag/2.22.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethyca/fides/releases/tag/2.22.1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T13:11:03.119147Z", "id": "CVE-2023-46125", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T13:23:33.012Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-16T17:51:35.572Z", "datePublished": "2023-10-24T22:42:05.651Z", "dateUpdated": "2024-09-11T13:23:33.012Z"}, "containers": {"cna": {"title": "Fides Information Disclosure Vulnerability in Config API Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"}, {"name": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"}, {"name": "https://github.com/ethyca/fides/releases/tag/2.22.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethyca/fides/releases/tag/2.22.1"}], "affected": [{"vendor": "ethyca", "product": "fides", "versions": [{"version": "< 2.22.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-24T22:42:05.651Z"}, "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers\u2019 addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. "}], "source": {"advisory": "GHSA-rjxg-rpg3-9r89", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:39.715Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"}, {"name": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"}, {"name": "https://github.com/ethyca/fides/releases/tag/2.22.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethyca/fides/releases/tag/2.22.1"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46125", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-11T13:11:03.119147Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T13:23:28.683Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA76F207-3012-48FE-AAB5-9B061A5AE996", "versionEndExcluding": "2.22.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers\u2019 addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`. "}, {"lang": "es", "value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. La API del servidor web de Fides permite a los usuarios recuperar su configuraci\u00f3n utilizando el endpoint `GET api/v1/config`. Los datos de configuraci\u00f3n se filtran para suprimir la informaci\u00f3n de configuraci\u00f3n m\u00e1s confidencial antes de devolverla al usuario, pero incluso los datos filtrados contienen informaci\u00f3n sobre los componentes internos y la infraestructura de backend, como diversas configuraciones, direcciones y puertos de servidores y nombre de usuario de la base de datos. Esta informaci\u00f3n es \u00fatil tanto para usuarios administrativos como para atacantes, por lo que no debe revelarse a usuarios con pocos privilegios. Esta vulnerabilidad permite a los usuarios de la interfaz de usuario de administraci\u00f3n con roles inferiores al rol de propietario, por ejemplo, el rol de espectador, recuperar la informaci\u00f3n de configuraci\u00f3n mediante la API. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.22.1` de Fides."}], "id": "CVE-2023-46125", "lastModified": "2023-11-01T16:38:37.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-25T18:17:36.470", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ethyca/fides/releases/tag/2.22.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object