CVE-2024-31223

Name of the Vulnerable Software and Affected Versions Fides versions 2.19.0 through 2.39.2rc0

Description A vulnerability in Fides allows an unauthenticated attacker to make a HTTP GET request from the Privacy Center that discloses the value of the SERVER SIDE FIDES API URL server-side configuration environment variable. This variable's value is a URL that typically includes a private IP address, private domain name, and/or port. The disclosure of this information could result in an attacker gaining knowledge of server-side ports, private IP addresses, and/or private domain names.

Recommendations For Fides versions 2.19.0 through 2.39.2rc0, upgrade to Fides version 2.39.2 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the Privacy Center's main page, for example, https://privacy.example.com, until the issue is resolved. Avoid using the SERVER SIDE FIDES API URL environment variable in the Privacy Center until the issue is resolved.