CVE-2024-34715

low-risk
Published 2024-05-29

Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.3/10 Low
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Ethyca

References (8)

Technical Description https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-...
Patch https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c
Exploit https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7
Issue Tracking https://github.com/sqlalchemy/sqlalchemy/discussions/6615
Technical Description https://docs.sqlalchemy.org/en/14/core/engines.html#escaping-special-characters-...
Patch https://github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c
Exploit https://github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7
Issue Tracking https://github.com/sqlalchemy/sqlalchemy/discussions/6615
15
/ 100
low-risk
Severity 10/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal