Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fides Lacks Brute-Force Protections on Authentication Endpoints
Vulnerability Description
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords. Version 2.69.1 fixes the issue. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. When OIDC SSO is enabled, username/password authentication can be disabled entirely, which eliminates this attack vector. This functionality is not available for Fides Open Source users.
CVSS Information
N/A
Vulnerability Type
过多认证尝试的限制不恰当
Vulnerability Title
Fides 安全漏洞
Vulnerability Description
Fides是Ethyca开源的一个开源隐私工程平台,用于管理运行时环境中数据隐私请求的实现以及代码中隐私法规的执行。 Fides 2.69.1之前版本存在安全漏洞,该漏洞源于缺乏针对暴力破解攻击的防护措施。
CVSS Information
N/A
Vulnerability Type
N/A