{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34715", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-07T13:53:00.134Z", "datePublished": "2024-05-29T16:35:46.375Z", "dateUpdated": "2024-08-02T02:59:22.619Z"}, "containers": {"cna": {"title": "Partial Password Exposure Vulnerability in Fides Webserver Logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"}, {"name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"}, {"name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords", "tags": ["x_refsource_MISC"], "url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"}, {"name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615", "tags": ["x_refsource_MISC"], "url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"}], "affected": [{"vendor": "ethyca", "product": "fides", "versions": [{"version": "< 2.37.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-29T16:35:46.375Z"}, "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-8cm5-jfj2-26q7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-03T15:09:16.775448Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:17.727Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.619Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"}, {"name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"}, {"name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"}, {"name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7", "name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c", "name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords", "name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615", "name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.619Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-03T15:09:16.775448Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-03T15:09:33.031Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Partial Password Exposure Vulnerability in Fides Webserver Logs", "source": {"advisory": "GHSA-8cm5-jfj2-26q7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ethyca", "product": "fides", "versions": [{"status": "affected", "version": "< 2.37.0"}]}], "references": [{"url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7", "name": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c", "name": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords", "name": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615", "name": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-29T16:35:46.375Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34715", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:59:22.619Z", "dateReserved": "2024-05-07T13:53:00.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-29T16:35:46.375Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. El servidor web de Fides requiere una conexi\u00f3n a una base de datos PostgreSQL alojada para el almacenamiento persistente de los datos de la aplicaci\u00f3n. Si la contrase\u00f1a utilizada por el servidor web para esta conexi\u00f3n de base de datos incluye caracteres especiales como `@` y `$`, el inicio del servidor web falla y la parte de la contrase\u00f1a que sigue al car\u00e1cter especial queda expuesta en los registros de errores del servidor web. Esto se debe a un escape incorrecto de la cadena de contrase\u00f1a de SQLAlchemy. Como resultado, los usuarios est\u00e1n sujetos a una exposici\u00f3n parcial de la contrase\u00f1a de la base de datos alojada en los registros del servidor web. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.37.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-34715", "lastModified": "2024-05-29T19:50:25.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-29T17:16:20.260", "references": [{"source": "security-advisories@github.com", "url": "https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords"}, {"source": "security-advisories@github.com", "url": "https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c"}, {"source": "security-advisories@github.com", "url": "https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7"}, {"source": "security-advisories@github.com", "url": "https://github.com/sqlalchemy/sqlalchemy/discussions/6615"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}