CVE-2024-45052

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.44.0

Description A timing-based username enumeration vulnerability exists in Fides Webserver authentication, allowing an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This information can be used to conduct further attacks on authentication, such as password brute-forcing and credential stuffing.

Recommendations To resolve the issue, upgrade to Fides version 2.44.0 or later. There are no workarounds for this vulnerability. As a temporary mitigation measure, consider restricting access to the authentication endpoint until a patch is applied.