FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-34715

Improper Encoding or Escaping of Output (CWE-116)

Published: May 29, 2024

010
CVSS 2.3EPSS 0.05%Low
CVE info copied to clipboard

Summary

The Fides webserver improperly escapes special characters like @ and $ in the password used to connect to the hosted PostgreSQL database. This can lead to a partial exposure of the database password in the webserver error logs if the password contains those special characters.

Impact

An attacker who gains access to the webserver error logs can view portions of the database password. This could potentially allow them to brute force the full password and gain unauthorized access to the database containing sensitive application data.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available in Fides version 2.37.0 that properly escapes special characters in the database password.

Mitigation

Users are advised to upgrade to Fides version 2.37.0 or later to remediate this vulnerability. There are no known workarounds.

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Timeline

CVSS

A CVSS base score of 2.3 has been assigned.

May 29, 2024 at 3:35 PM / github_advisories
First Article

Feedly found the first article mentioning CVE-2024-34715. See article

May 29, 2024 at 3:36 PM / GitHub Advisory Database
CVE Assignment

NVD published the first details for CVE-2024-34715

May 29, 2024 at 5:16 PM
Trending

This CVE started to trend in security discussions

May 29, 2024 at 6:43 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 15.1%)

May 30, 2024 at 9:50 AM
Trending

This CVE stopped trending in security discussions

Jun 1, 2024 at 3:57 PM
Static CVE Timeline Graph

Affected Systems

Ethyca/fides
+null more

Exploits

https://github.com/advisories/GHSA-8cm5-jfj2-26q7
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

Vendor Advisory

[GHSA-8cm5-jfj2-26q7] Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability
GitHub Advisory Database / 5mo
The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. Create a hosted PostgreSQL database for Fides with a password including @ or $ e.g. p@ssword

News

NA - CVE-2024-34715 - Fides is an open-source privacy engineering...
Security-Database Alerts Monitor : Last 100 Alerts / 5mo
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by...
CVE-2024-34715
INCIBE-CERT - Vulnerabilities RSS / 5mo
As a result users are subject to a partial exposure of hosted database password in webserver logs. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data.
CVE-2024-34715
CyberSecurityBoard.com Cyber News | Atom Feed / 5mo
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver CVE-2024-34715 originally published on CyberSecurityBoard
CVE-2024-34715 | ethyca fides up to 2.36.x log file (GHSA-8cm5-jfj2-26q7)
VulDB Recent Entries / 5mo
A vulnerability classified as problematic has been found in ethyca fides up to 2.36.x . Affected is an unknown function. The manipulation leads to sensitive information in log files. This vulnerability is traded as CVE-2024-34715 . It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-34715 - Fides is an open-source privacy engineering platfo
Latest Vulnerabilities / 5mo
As a result users are subject to a partial exposure of hosted database password in webserver logs. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data.
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:None
Availability Impact:None

Categories

CVSS 2.3(3021)CWE-116(280)CWE-532(828)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial