Headline
CVE-2023-46125: Merge pull request from GHSA-rjxg-rpg3-9r89 · ethyca/fides@c9f3a62
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the GET api/v1/config
endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version 2.22.1
.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Notifications
Fork 62
Code
Issues 456
Pull requests 65
Discussions
Actions
Projects
Security
Insights
Commit
Permalink
Browse files
Browse the repository at this point in the history
* feat: remove the config_read scope from the viewer role
* feat: remove the CONFIG_READ scope from the contributor role as well
- Loading branch information
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/fides/api/oauth/roles.py
Expand Up
@@ -86,7 +86,6 @@ class RoleRegistryEnum(Enum):
viewer_scopes = [ # Intentionally omitted USER_PERMISSION_READ
CLI_OBJECTS_READ,
CLIENT_READ,
CONFIG_READ,
CONNECTION_READ,
CONSENT_READ,
CONSENT_SETTINGS_READ,
Expand Down Expand Up
@@ -126,6 +125,7 @@ class RoleRegistryEnum(Enum):
MESSAGING_CREATE_OR_UPDATE,
MESSAGING_DELETE,
PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,
CONFIG_READ,
CONFIG_UPDATE,
USER_PERMISSION_ASSIGN_OWNERS,
]
Expand Down
0 comments on commit c9f3a62
Please sign in to comment.
Related news
### Impact The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. ### Patches The vulnerability has been patched in Fides version `2.22.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds.