CVE-2024-52008: Password Policy Bypass Vulnerability in Fides Webserver User Accept Invite API

November 26, 2024

The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character.

References

github.com/advisories/GHSA-v7vm-rhmg-8j2r
github.com/ethyca/fides
github.com/ethyca/fides/commit/ce664da46ab7f86d29583ebc34f2ff776f0aa6c2
github.com/ethyca/fides/security/advisories/GHSA-v7vm-rhmg-8j2r
nvd.nist.gov/vuln/detail/CVE-2024-52008

Code Behaviors & Features

Detect and mitigate CVE-2024-52008 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →