CVE-2024-31223
Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
Description
`SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address, private domain name, and/or port. This vulnerability allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. ### Impact Disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. ### Patches The vulnerability has been patched in Fides version `2.39.2`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds. ### Proof of Concept 1. Set the value of the environment variable `FIDES_PRIVACY_CENTER__SERVER_SIDE_FIDES_API_URL` of your Fides Privacy Center container before start-up to a private value such as `https://some.private.domain.name/api/v1` and start the Privacy Center application. 2. Once the application is up, perform a HTTP GET request of the Privacy Center's main page e.g. `https://privacy.example.com` . The value of `SERVER_SIDE_FIDES_API_URL` is returned in the response's body. ``` ~ ❯ curl -s https://privacy.example.com/ | \ grep '__NEXT_DATA__' | \ sed 's/.*<script id="__NEXT_DATA__" type="application\/json">//;s/<\/script>.*//' | \ jq '.props.serverEnvironment.settings.SERVER_SIDE_FIDES_API_URL' "https://some.private.domain.name/api/v1" ```
How to fix CVE-2024-31223
To remediate CVE-2024-31223, upgrade the affected package to a fixed version below.
- —upgrade to 2.39.2 or later
Is CVE-2024-31223 being exploited?
Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 2.19.0, < 2.39.2