Veracode Vulnerability DatabaseVERACODE:47893Supply Chain Attack
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
AI Score
Confidence
High
Fides is vulnerable to Supply Chain Attack. The vulnerability is due to mishandling of client-side script dependencies and the use of a compromised third-party domain like polyfill.io. The vulnerability allows an attacker to serve malicious scripts to users of legacy browsers when they load fides.js from the compromised polyfill.io domain. Note that the compromised domain has been seized, rending this vulnerability unexploitable.
References
fetch.spec.whatwg.org
fetch.spec.whatwg.org/
github.com/advisories/GHSA-cvw4-c69g-7v7m
github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005
github.com/ethyca/fides/commit/ceb1c60501eb12d1a1ca0a3c046834cd99420804
github.com/ethyca/fides/pull/5026
github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m
sansec.io/research/polyfill-supply-chain-attack
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
AI Score
Confidence
High