Adamsachs

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.37.0 **Description** The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which can contain sensitive data. These `secrets` are stored encrypted at rest, and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients. The application has an internal function that uses `sensitive` annotations to mask the sensitive fields with a "**********" placeholder value. This issue is due to a bug in that function, which prevented `sensitive` API model fields that were nested below the root-level of a `secrets` object from being masked appropriately. Only the `BigQuery` connection configuration secrets meet these criteria, with a nested sensitive `keyfile creds.private key` property that is exposed in plaintext via the APIs. The affected endpoints include "GET /api/v1/connections", "PATCH /api/v1/connections", "GET /api/v1/connection/{connection key}", "PATCH /api/v1/system/{system key}/connection", "GET /api/v1/system/{system key}", and "GET /api/v1/system/{system key}/connection". **Recommendations** To resolve the issue, upgrade to Fides version 2.37.0 or later. Additionally, rotate any Google Cloud secrets used for BigQuery integrations in the Fides deployments. As a temporary workaround, consider restricting access to the affected API endpoints until the issue is resolved. Avoid using the `keyfile creds.private key` property in the affected API endpoints until the issue is resolved.