CVE-2024-34715

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.37.0

Description The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as @ and $, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result, users are subject to a partial exposure of hosted database password in webserver logs.

Recommendations For Fides versions prior to 2.37.0, upgrade to version 2.37.0 or later to secure systems against this threat. As a temporary workaround, consider avoiding the use of special characters such as @ and $ in the password for the database connection until the issue is resolved. There are no other known workarounds for this issue.