CVE-2024-34715

Exploit

EPSS 0.28%
Veröffentlicht 29.05.2024 17:16:20
Zuletzt bearbeitet 27.09.2025 00:05:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Partial Password Exposure Vulnerability in Fides Webserver Logs

Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ethyca ≫ Fides Version < 2.37.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.191

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	2.3	0.8	1.4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-such-as-signs-in-passwords

Technical Description

https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c

Patch

https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7

Vendor Advisory

Exploit

https://github.com/sqlalchemy/sqlalchemy/discussions/6615

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-34715