CVE-2024-34715: Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability

May 29, 2024

The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as @ and $, webserver startup fails and the part of the password following the special character is exposed in webserver error logs.

References

github.com/advisories/GHSA-8cm5-jfj2-26q7
github.com/ethyca/fides
github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141c
github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7
nvd.nist.gov/vuln/detail/CVE-2024-34715

Detect and mitigate CVE-2024-34715 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →