CVE-2024-52008: Fides Privacy Engineering Platform User Invite Acceptance API Endpoint Vulnerability

The open-source privacy engineering platform, Fides, has been found to have a vulnerability in its user invite acceptance API endpoint. This vulnerability allows users to set weak initial passwords, making it easier for attackers to compromise these accounts. A patch has been released on version 2.50. and users are advised to upgrade.

Body

Fides is a widely-used open-source privacy engineering platform that enables organizations to effectively manage and secure users' data. Recently, a vulnerability has been discovered in its user invite acceptance API endpoint, leaving user accounts susceptible to unauthorized access due to weak password enforcement.

This vulnerability has been assigned the CVE identifier CVE-2024-52008.

Vulnerability Details

Typically, when an email messaging provider is enabled and a new user account is created in Fides, the system sends an invite email with a special link to the new user's email address. Upon clicking on this link, the new user is directed to a page where they can set their initial password. The Fides user interface enforces password complexity requirements to ensure strong passwords are chosen. However, these validations are performed only on the client-side, leaving the server-side open to exploitation.

Through direct API calls to the /api/v1/user/accept-invite endpoint, it is possible to bypass the client-side password checks and set extremely weak passwords for user accounts. In some cases, passwords could be as short as a single character, allowing an attacker to easily guess or brute-force the password and compromise the user account.

Here's a code snippet of the client-side validation that can be bypassed

function validatePassword(password) {
  const re = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/;
  return re.test(password);
}

Patch and Remediation

The Fides development team was quick to address this vulnerability and released a server-side password policy validation patch in version 2.50.. Users are strongly advised to upgrade to this version or later to ensure their systems are secure. You can find the latest releases on their GitHub repository.

There are no known workarounds for this vulnerability. Upgrading to the patched version is the only way to fully secure your Fides instance.

References

- Fides GitHub Repository
- Fides Releases
- Original Advisory (limited access)
- CVE-2024-52008 (may not be published yet)

In conclusion, it is crucial for users of the Fides privacy engineering platform to be aware of vulnerabilities like CVE-2024-52008. Taking quick action to patch these vulnerabilities will ensure that your user data remains protected from unauthorized access and cyber attacks.

Timeline

Published on: 11/26/2024 19:15:29 UTC