CVE-2024-35189

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.37.0

Description The Fides webserver has a number of endpoints that retrieve ConnectionConfiguration records and their associated secrets which can contain sensitive data. These secrets are stored encrypted at rest, and the associated endpoints are not meant to expose that sensitive data in plaintext to API clients. The application has an internal function that uses sensitive annotations to mask the sensitive fields with a "**********" placeholder value. This issue is due to a bug in that function, which prevented sensitive API model fields that were nested below the root-level of a secrets object from being masked appropriately. Only the BigQuery connection configuration secrets meet these criteria, with a nested sensitive keyfile creds.private key property that is exposed in plaintext via the APIs. The affected endpoints include "GET /api/v1/connections", "PATCH /api/v1/connections", "GET /api/v1/connection/{connection key}", "PATCH /api/v1/system/{system key}/connection", "GET /api/v1/system/{system key}", and "GET /api/v1/system/{system key}/connection".

Recommendations To resolve the issue, upgrade to Fides version 2.37.0 or later. Additionally, rotate any Google Cloud secrets used for BigQuery integrations in the Fides deployments. As a temporary workaround, consider restricting access to the affected API endpoints until the issue is resolved. Avoid using the keyfile creds.private key property in the affected API endpoints until the issue is resolved.