CVE-2024-31223
Published: 03 July 2024
Summary
CVE-2024-31223 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ethyca Fides. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Fides, an open-source privacy engineering platform, contains an information disclosure vulnerability in the Privacy Center component affecting versions 2.19.0 through 2.39.1. The flaw stems from improper handling of the SERVER_SIDE_FIDES_API_URL environment variable, which holds a backend URL that may contain private IP addresses, domain names, or ports. An unauthenticated remote attacker can issue a crafted HTTP GET request that causes the Privacy Center to return the value of this server-side variable, exposing internal network configuration details (CWE-497).
Because the request requires no authentication and can be sent directly to the Privacy Center, an attacker positioned to reach the application can obtain reconnaissance information useful for further attacks against the Fides deployment. The exposure is limited to configuration data rather than user or sensitive business records, consistent with the CVSS 5.3 rating.
The vulnerability was addressed in the patch release 2.39.2rc0; the referenced GitHub security advisory and associated commits confirm that the fix prevents disclosure of the SERVER_SIDE_FIDES_API_URL value and that no workarounds are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2256
Vulnerability details
Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a…
more
private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated attackers can exploit the public-facing Privacy Center web application (T1190) via HTTP GET to disclose the internal backend SERVER_SIDE_FIDES_API_URL, revealing private IP addresses (T1590.005), private domains, and ports to facilitate system network configuration discovery (T1016) and network service discovery (T1046).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.
Documenting where system information is processed and stored prevents exposure to unauthorized control spheres.
The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.
Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.
Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.
System information is concealed or replaced with decoys, reducing leakage to unauthorized observers.
Ensures sensitive system information is not disclosed outside the intended control sphere through error output.