CVE-2024-34715

CVSS V2 None CVSS V3 None

Description

Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.

Overview

CVE ID
CVE-2024-34715

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-05-29T16:35:46.375Z

Last Modified Date
2024-06-04T17:42:17.727Z

Weakness Enumerations

CWE	URL
CWE-532	http://cwe.mitre.org/data/definitions/532.html
CWE-116	http://cwe.mitre.org/data/definitions/116.html

References

Reference URL	Reference Tags
https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7	x_refsource_CONFIRM
https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c	x_refsource_MISC
https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords	x_refsource_MISC
https://github.com/sqlalchemy/sqlalchemy/discussions/6615	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-34715
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34715

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 14:25:54				Added to TrackCVE