CVE-2023-46125
CVE-2023-46125 is a medium-severity vulnerability in Ethyca Fides with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (50th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-863
- Affected product: Ethyca Fides
- Published:
- Last modified:
Description
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.
Frequently asked questions
- What is CVE-2023-46125?
- Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. The vulnerability has been patched in Fides version `2.22.1`.
- How severe is CVE-2023-46125?
- CVE-2023-46125 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-46125 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (50th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-46125?
- CVE-2023-46125 affects Ethyca Fides. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-46125?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-46125 published?
- CVE-2023-46125 was published on 2023-10-25 and last updated on 2026-06-17.
References
- https://github.com/ethyca/fides/commit/c9f3a620a4b4c1916e0941cb5624dcd636f06d06
- https://github.com/ethyca/fides/releases/tag/2.22.1
- https://github.com/ethyca/fides/security/advisories/GHSA-rjxg-rpg3-9r89
Affected products (1)
- cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*
More vulnerabilities in Ethyca Fides
- CVE-2024-45053 — Critical (CVSS 9.1): Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email…
- CVE-2024-52008 — High (CVSS 8.8): Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side…
- CVE-2023-41319 — High (CVSS 8.8): Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime…
- CVE-2023-48224 — High (CVSS 8.2): Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime…
- CVE-2023-46124 — High (CVSS 8.2): Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in runtime…
- CVE-2025-57816 — High (CVSS 7.5): Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in…
All CVEs affecting Ethyca Fides →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →