Lucene search

Veracode Vulnerability DatabaseVERACODE:47364

HistoryJun 05, 2024 - 6:49 a.m.

Sensitive Information Disclosure

2024-06-0506:49:47

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

ethyca_fides information disclosure bigquery connection plaintext api endpoints sensitive fields nested_sensitive_fields_configuration_sensitive_information.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

ethyca_fides is vulnerable to Information Disclosure. The vulnerability is due to improper masking of nested sensitive fields such as private_key in the BigQuery connection configuration, which allows an attacker to expose the sensitive fields in plaintext via certain API endpoints.

CPENameOperatorVersion
ethyca-fidesle2.37.0rc4
ethyca-fidesle2.37.0rc4

CPE	Name	Operator	Version
	ethyca-fides	le	2.37.0rc4
	ethyca-fides	le	2.37.0rc4

References

cloud.google.com/iam/docs/key-rotation

github.com/ethyca/fides/commit/a6463259e46bcfedcb77ab6150edd2bf5e404932

github.com/ethyca/fides/security/advisories/GHSA-rcvg-jj3g-rj7c

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47364