| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2024-31223 | 31 Oct 202521:02 | – | circl | |
| Fides Security Vulnerabilities | 3 Jul 202400:00 | – | cnnvd | |
| CVE-2024-31223 | 3 Jul 202417:34 | – | cve | |
| CVE-2024-31223 Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL | 3 Jul 202417:34 | – | cvelist | |
| EUVD-2024-2256 | 3 Oct 202520:07 | – | euvd | |
| Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL | 5 Jul 202420:40 | – | github | |
| CVE-2024-31223 | 3 Jul 202418:15 | – | nvd | |
| CVE-2024-31223 Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL | 3 Jul 202417:34 | – | osv | |
| GHSA-53Q7-4874-24QG Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL | 5 Jul 202420:40 | – | osv | |
| PYSEC-2026-1334 Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL | 7 Jul 202614:34 | – | osv |
id: CVE-2024-31223
info:
name: Fides Privacy Center ≤ 2.39.1 - Server-Side URL Disclosure
author: hnd3884
severity: medium
description: |
Fides versions 2.19.0 to before 2.39.2rc0 contain an information disclosure caused by unauthenticated HTTP GET request to the Privacy Center, letting attackers access the SERVER_SIDE_FIDES_API_URL, which may reveal server configuration details, exploit requires no authentication.
impact: |
Attackers can obtain server-side URLs, revealing private IPs, ports, and domain names, potentially aiding further targeted attacks.
remediation: |
Update to version 2.39.2rc0 or later.
reference:
- https://github.com/ethyca/fides/commit/0555080541f18a5aacff452c590ac9a1b56d7097
- https://github.com/ethyca/fides/security/advisories/GHSA-53q7-4874-24qg
- https://nvd.nist.gov/vuln/detail/CVE-2024-31223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-31223
cwe-id: CWE-497
epss-score: 0.01114
epss-percentile: 0.62071
cpe: cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: html:"SERVER_SIDE_FIDES_API_URL"
tags: cve,cve2024,vuln,ethyca,fides,disclosure,vkev
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SERVER_SIDE_FIDES_API_URL"
- type: status
status:
- 200
extractors:
- type: regex
name: server_side_fides_api_url
group: 1
regex:
- '"SERVER_SIDE_FIDES_API_URL":"(.+?)"'
# digest: 4b0a00483046022100efc52268f6160ce3764abd1de74da04feddca6081cd1f8e73e6c149450b4ac19022100d3de9f88a72de2de6bb2254978c3ff0abe08becd1d0feedd4b1a403931b64d5b:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation