Cyber Resilience

CVE-2024-31223

MediumPublic PoC

Published: 03 July 2024

Published
03 July 2024
Modified
04 September 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0618 91.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31223 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Ethyca Fides. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Fides, an open-source privacy engineering platform, contains an information disclosure vulnerability in the Privacy Center component affecting versions 2.19.0 through 2.39.1. The flaw stems from improper handling of the SERVER_SIDE_FIDES_API_URL environment variable, which holds a backend URL that may contain private IP addresses, domain names, or ports. An unauthenticated remote attacker can issue a crafted HTTP GET request that causes the Privacy Center to return the value of this server-side variable, exposing internal network configuration details (CWE-497).

Because the request requires no authentication and can be sent directly to the Privacy Center, an attacker positioned to reach the application can obtain reconnaissance information useful for further attacks against the Fides deployment. The exposure is limited to configuration data rather than user or sensitive business records, consistent with the CVSS 5.3 rating.

The vulnerability was addressed in the patch release 2.39.2rc0; the referenced GitHub security advisory and associated commits confirm that the fix prevents disclosure of the SERVER_SIDE_FIDES_API_URL value and that no workarounds are available.

EU & UK References

Vulnerability details

Fides is an open-source privacy engineering platform, and `SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a…

more

private IP address, private domain name, and/or port. A vulnerability present starting in version 2.19.0 and prior to version 2.39.2rc0 allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This could result in disclosure of server-side configuration giving an attacker information on server-side ports, private IP addresses, and/or private domain names. The vulnerability has been patched in Fides version 2.39.2rc0. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1590.005 IP Addresses Reconnaissance
Adversaries may gather the victim's IP addresses that can be used during targeting.
Why these techniques?

Unauthenticated attackers can exploit the public-facing Privacy Center web application (T1190) via HTTP GET to disclose the internal backend SERVER_SIDE_FIDES_API_URL, revealing private IP addresses (T1590.005), private domains, and ports to facilitate system network configuration discovery (T1016) and network service discovery (T1046).

Affected Assets

ethyca
fides
2.19.0 — 2.39.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-497

Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.

addresses: CWE-497

Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.

addresses: CWE-497

Documenting where system information is processed and stored prevents exposure to unauthorized control spheres.

addresses: CWE-497

The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.

addresses: CWE-497

Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.

addresses: CWE-497

Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.

addresses: CWE-497

System information is concealed or replaced with decoys, reducing leakage to unauthorized observers.

addresses: CWE-497

Ensures sensitive system information is not disclosed outside the intended control sphere through error output.

References