CVE-2024-34715

CVE-2024-34715 is a low-severity vulnerability in Ethyca Fides with a CVSS 3.x base score of 2.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-116.

Key facts

Description

Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.

Frequently asked questions

What is CVE-2024-34715?
Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.
How severe is CVE-2024-34715?
CVE-2024-34715 has a CVSS 3.x base score of 2.3, rated low severity. It is exploitable over local access with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2024-34715 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (19th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-34715?
CVE-2024-34715 affects Ethyca Fides. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-34715?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-34715 have an EU (EUVD) identifier?
Yes. CVE-2024-34715 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-1520.
When was CVE-2024-34715 published?
CVE-2024-34715 was published on 2024-05-29 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Ethyca Fides

All CVEs affecting Ethyca Fides →

Other CWE-116 vulnerabilities

Browse all CWE-116 vulnerabilities →