CVE-2023-48224

CVE-2023-48224 is a high-severity security vulnerability in ethyca-fides (pip), affecting versions < 2.24.0. It is fixed in 2.24.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Ethyca Fides Cryptographically Weak Generation of One-Time Codes for Identity Verification

Workarounds

None

References

Impact

The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web application.

Privacy requests allow data subjects to submit a request to access all person data held by the data controller, or delete/erase it. Consent request allows data subject users to modify their privacy preferences for how the data controller uses their personal data e.g. data sales and sharing consent opt-in/opt-out.

If subject_identity_verification_required in the [execution] section of fides.toml or the env var FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED is set to True on the fides webserver backend, data subjects are sent a one-time code to their email address or phone number, depending on messaging configuration, and the one-time code must be entered in the Privacy Center UI by the data subject before the privacy or consent request is submitted.

It was identified that the one-time code values for these requests were generated by the python random module, a cryptographically weak pseduo-random number generator (PNRG). If an attacker generates several hundred consecutive one-time codes, this vulnerability allows the attacker to predict all future one-time code values during the lifetime of the backend python process.

There is no security impact on data access requests as the personal data download package is not shared in the Privacy Center itself. However, this vulnerability allows an attacker to (i) submit a verified data erasure request, resulting in deletion of data for the targeted user and (ii) submit a verified consent request, modifying a user's privacy preferences.

CVE-2023-48224 has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.24.0); upgrading removes the vulnerable code path.

Affected versions

ethyca-fides (< 2.24.0)

Security releases

ethyca-fides → 2.24.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

The vulnerability has been patched in Fides version 2.24.0. Users are advised to upgrade to this version or later to secure their systems against this threat.

Frequently Asked Questions

  1. What is CVE-2023-48224? CVE-2023-48224 is a high-severity security vulnerability in ethyca-fides (pip), affecting versions < 2.24.0. It is fixed in 2.24.0.
  2. How severe is CVE-2023-48224? CVE-2023-48224 has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of ethyca-fides are affected by CVE-2023-48224? ethyca-fides (pip) versions < 2.24.0 is affected.
  4. Is there a fix for CVE-2023-48224? Yes. CVE-2023-48224 is fixed in 2.24.0. Upgrade to this version or later.
  5. Is CVE-2023-48224 exploitable, and should I be worried? Whether CVE-2023-48224 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-48224 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-48224? Upgrade ethyca-fides to 2.24.0 or later.

Other vulnerabilities in ethyca-fides

Stop the waste.
Protect your environment with Kodem.