CVE-2024-52008

Name of the Vulnerable Software and Affected Versions Fides versions prior to 2.50.0

Description The user invite acceptance API endpoint /api/v1/user/accept-invite lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process, making it easily compromisable by an attacker guessing or brute forcing the password.

Recommendations For Fides versions prior to 2.50.0, upgrade to version 2.50.0 or later to secure the system against this threat. As a temporary workaround, consider restricting access to the /api/v1/user/accept-invite API endpoint until the patch is applied. Avoid using weak passwords for new user accounts until the issue is resolved. There are no other known workarounds for this vulnerability.