Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46125: Merge pull request from GHSA-rjxg-rpg3-9r89 · ethyca/fides@c9f3a62

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the GET api/v1/config endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version 2.22.1.

CVE
#vulnerability#web#git#oauth#auth

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  • Notifications

  • Fork 62

  • Code

  • Issues 456

  • Pull requests 65

  • Discussions

  • Actions

  • Projects

  • Security

  • Insights

Commit

Permalink

Browse files

Browse the repository at this point in the history

* feat: remove the config_read scope from the viewer role

* feat: remove the CONFIG_READ scope from the contributor role as well

  • Loading branch information

Showing 1 changed file with 1 addition and 1 deletion.

2 changes: 1 addition & 1 deletion src/fides/api/oauth/roles.py

Expand Up

@@ -86,7 +86,6 @@ class RoleRegistryEnum(Enum):

viewer_scopes = [ # Intentionally omitted USER_PERMISSION_READ

CLI_OBJECTS_READ,

CLIENT_READ,

CONFIG_READ,

CONNECTION_READ,

CONSENT_READ,

CONSENT_SETTINGS_READ,

Expand Down Expand Up

@@ -126,6 +125,7 @@ class RoleRegistryEnum(Enum):

MESSAGING_CREATE_OR_UPDATE,

MESSAGING_DELETE,

PRIVACY_REQUEST_NOTIFICATIONS_CREATE_OR_UPDATE,

CONFIG_READ,

CONFIG_UPDATE,

USER_PERMISSION_ASSIGN_OWNERS,

]

Expand Down

0 comments on commit c9f3a62

Please sign in to comment.

Related news

GHSA-rjxg-rpg3-9r89: Fides Information Disclosure Vulnerability in Config API Endpoint

### Impact The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. ### Patches The vulnerability has been patched in Fides version `2.22.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907