CVE-2023-46125

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.22.1

Description The Fides webserver API allows users to retrieve its configuration using the GET api/v1/config endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This issue allows Admin UI users with roles lower than the owner role, e.g., the viewer role, to retrieve the config information using the API.

Recommendations For Fides versions prior to 2.22.1, upgrade to version 2.22.1 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the GET api/v1/config endpoint to minimize the risk of exploitation.