CVE-2023-46125
Published: 25 October 2023
Summary
CVE-2023-46125 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ethyca Fides. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2803
Vulnerability details
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET…
more
api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables low-privileged Admin UI users (e.g., viewer role) to retrieve filtered configuration data via the API, disclosing backend infrastructure details such as server addresses, ports (System Network Configuration Discovery - T1016), and database usernames (System Information Discovery - T1082).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
Ensures authorization decisions for external system use are correctly implemented and enforced.
It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Drives review and correction of flawed authorization logic applied to organizational data.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.
Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.