SCA: security update for ethyca-fides (GHSA-82vr-5769-6358)

critical Tenable Cloud Security Plugin ID 412377

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests
in a runtime environment, and the enforcement of privacy regulations in code. The Fides Privacy Center
allows data subject users to submit privacy and consent requests to data controller users of the Fides web
application. Privacy requests allow data subjects to submit a request to access all person data held by
the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy
preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-
in/opt-out. If `subject_identity_verification_required` in the `[execution]` section of `fides.toml` or
the env var `FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED` is set to `True` on the fides
webserver backend, data subjects are sent a one-time code to their email address or phone number,
depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by
the data subject before the privacy or consent request is submitted. It was identified that the one-time
code values for these requests were generated by the python `random` module, a cryptographically weak
pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time
codes, this vulnerability allows the attacker to predict all future one-time code values during the
lifetime of the backend python process. There is no security impact on data access requests as the
personal data download package is not shared in the Privacy Center itself. However, this vulnerability
allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the
targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences. The
vulnerability has been patched in Fides version `2.24.0`. Users are advised to upgrade to this version or
later to secure their systems against this threat. There are no known workarounds for this vulnerability.
(CVE-2023-48224)

See Also

https://github.com/advisories/GHSA-82vr-5769-6358

Plugin Details

Severity: Critical

ID: 412377

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C

CVSS Score Source: CVE-2023-48224

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/16/2023

Vulnerability Publication Date: 11/15/2023

Reference Information

CVE: CVE-2023-48224

cwe: CWE-338