PyPI: ethyca-fides
CVE-2024-52008
Safety vulnerability ID: SFTY-20241126-12312
Safety legacy ID: pyup.io-74436
Versions ethyca-fides are vulnerable to Client-Side Enforcement of Server-Side Security (CWE-602). The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set weak passwords by bypassing client-side validations. This vulnerability enables attackers to compromise accounts through brute-force or guessing attacks using easily obtainable passwords.
Overview
Password Policy Bypass Vulnerability in Fides Webserver User Accept Invite API
Advisory
Versions ethyca-fides are vulnerable to Client-Side Enforcement of Server-Side Security (CWE-602). The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set weak passwords by bypassing client-side validations. This vulnerability enables attackers to compromise accounts through brute-force or guessing attacks using easily obtainable passwords.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20241126-12312/CVE-2024-52008
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52008
- https://github.com/advisories/GHSA-v7vm-rhmg-8j2r
- https://github.com/ethyca/fides/commit/ce664da46ab7f86d29583ebc34f2ff776f0aa6c2
- https://github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r
- https://github.com/ethyca/fides/commit/ce664da46ab7f86d29583ebc34f2ff776f0aa6c2
- https://nvd.nist.gov/vuln/detail/CVE-2024-52008
- https://github.com/advisories/GHSA-v7vm-rhmg-8j2r
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more