Safety vulnerability ID: 63521
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Ethyca-fides 2.22.1 fixes a vulnerability identified as CVE-2023-46125. The issue was found with the GET api/v1/config endpoint. It allowed Admin UI users with roles lower than the owner role, such as the viewer role, to retrieve the configuration information using the API. Even though the configuration data was filtered to suppress most sensitive information, it still contained details about the internals and backend infrastructure like server addresses, ports, and database usernames.
https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89
Latest version: 2.51.1
Open-source ecosystem for data privacy as code.
Release Pull Request
https://github.com/ethyca/fides/pull/4316
What's Changed
* Custom fields are now included in system history change tracking by galvana in [4294](https://github.com/ethyca/fides/pull/4294)
* Added hostname checks for external SaaS connector URLs [CVE-2023-46124](https://github.com/ethyca/fides/security/advisories/GHSA-jq3w-9mgf-43m4) by ThomasLaPiana
* Use a Pydantic URL type for privacy policy URLs [CVE-2023-46126](https://github.com/ethyca/fides/security/advisories/GHSA-fgjj-5jmr-gh83) by ThomasLaPiana
* Remove the CONFIG_READ scope from the Viewer role [CVE-2023-46125](https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89) by ThomasLaPiana
**Full Changelog**: https://github.com/ethyca/fides/compare/2.22.0...2.22.1
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application