admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-07 05:28:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2023/CVE-2023-482xx/CVE-2023-48224.json
cad-safe-bot 5fc0b01395 Auto-Update: 2024-12-15T03:00:19.262894+00:00
2024-12-15 03:03:56 +00:00

136 lines
8.1 KiB
JSON
Raw Blame History

{
"id": "CVE-2023-48224",
"sourceIdentifier": "security-advisories@github.com",
"published": "2023-11-15T21:15:08.100",
"lastModified": "2024-11-21T08:31:14.697",
"vulnStatus": "Modified",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application. Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted. It was identified that the one-time code values for these requests were generated by the python `random` module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process. There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences. The vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. El Privacy Center de Fides permite a los usuarios interesados enviar solicitudes de privacidad y consentimiento a los usuarios responsables del tratamiento de datos de la aplicaci\u00f3n web de Fides. Las solicitudes de privacidad permiten a los interesados presentar una solicitud para acceder a todos los datos personales en poder del controlador de datos, o eliminarlos o borrarlos. La solicitud de consentimiento permite a los usuarios interesados modificar sus preferencias de privacidad sobre c\u00f3mo el controlador de datos utiliza sus datos personales, p. Venta de datos y consentimiento para compartir y optar por no participar. Si `subject_identity_verification_required` en la secci\u00f3n `[ejecuci\u00f3n]` de `fides.toml` o la var env `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` est\u00e1 configurada en `True` en el backend del servidor web de Fides, los interesados reciben un c\u00f3digo de un solo uso a su direcci\u00f3n de correo electr\u00f3nico o el n\u00famero de tel\u00e9fono, seg\u00fan la configuraci\u00f3n de mensajer\u00eda, y el c\u00f3digo de un solo uso deben ser ingresados en Privacy Center UI, por el interesado antes de enviar la solicitud de privacidad o consentimiento. Se identific\u00f3 que los valores de c\u00f3digo de un solo uso para estas solicitudes fueron generadas por el m\u00f3dulo \"aleatorio\" de Python, un generador de n\u00fameros pseudoaleatorios (PNRG) criptogr\u00e1ficamente d\u00e9bil. Si un atacante genera varios cientos de c\u00f3digos \u00fanicos consecutivos, esta vulnerabilidad le permite predecir todos los valores futuros de c\u00f3digos \u00fanicos durante la vida \u00fatil del proceso backend de Python. No hay ning\u00fan impacto en la seguridad en las solicitudes de acceso a datos ya que el paquete de descarga de datos personales no se comparte en el Privacy Center en s\u00ed. Sin embargo, esta vulnerabilidad permite a un atacante (i) enviar una solicitud de borrado de datos verificada, lo que resulta en la eliminaci\u00f3n de datos para el usuario objetivo y (ii) enviar una solicitud de consentimiento verificada, modificando las preferencias de privacidad de un usuario. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.24.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. No se conocen workarounds para esta vulnerabilidad."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2
},
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-338"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.24.0",
"matchCriteriaId": "12AD55DD-FCA0-4799-ACFF-CD03169882F3"
}
]
}
]
}
],
"references": [
{
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6",
"source": "security-advisories@github.com",
"tags": [
"Patch"
]
},
{
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358",
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
]
},
{
"url": "https://peps.python.org/pep-0506/",
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
]
},
{
"url": "https://github.com/ethyca/fides/commit/685bae61c203d29ed189f4b066a5223a9bb774c6",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
]
},
{
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-82vr-5769-6358",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
]
},
{
"url": "https://peps.python.org/pep-0506/",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink