Low severityNVD Advisory· Published May 29, 2024· Updated Aug 2, 2024

Partial Password Exposure Vulnerability in Fides Webserver Logs

CVE-2024-34715

Description

Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as @ and $, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version 2.37.0. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ethyca-fidesPyPI	< 2.37.0	2.37.0

Affected products

Ethyca/Fidesv5
Range: < 2.37.0

Patches

6ab37b1ffe2b

Merge pull request from GHSA-8cm5-jfj2-26q7

https://github.com/ethyca/fidesDawn PattisonMay 23, 2024via ghsa

commit

3 files changed · +52 −3

src/fides/api/db/database.py+2 −1 modified

@@ -31,7 +31,8 @@ def get_alembic_config(database_url: str) -> Config:
     directory = path.join(migrations_dir, "../alembic/migrations")
     config = Config(path.join(migrations_dir, "../alembic/alembic.ini"))
     config.set_main_option("script_location", directory.replace("%", "%%"))
-    config.set_main_option("sqlalchemy.url", database_url)
+    # Avoids invalid interpolation syntax errors if % in string
+    config.set_main_option("sqlalchemy.url", database_url.replace("%", "%%"))
     return config

src/fides/config/database_settings.py+9 −2 modified

@@ -4,7 +4,7 @@
 
 from copy import deepcopy
 from typing import Dict, Optional, Union, cast
-from urllib.parse import quote, urlencode
+from urllib.parse import quote, quote_plus, urlencode
 
 from pydantic import Field, PostgresDsn, validator
 
@@ -71,7 +71,7 @@ class DatabaseSettings(FidesSettings):
     )
     params: Dict = Field(
         default={},  # Can't use the default_factory since it breaks docs generation
-        description="Additional connection parameters used when connecting to the applicaiton database.",
+        description="Additional connection parameters used when connecting to the application database.",
     )
 
     # These must be at the end because they require other values to construct
@@ -96,6 +96,13 @@ class DatabaseSettings(FidesSettings):
         exclude=True,
     )
 
+    @validator("password", pre=True)
+    def escape_password(cls, value: Optional[str]) -> Optional[str]:
+        """Escape password"""
+        if value and isinstance(value, str):
+            return quote_plus(value)
+        return value
+
     @validator("sync_database_uri", pre=True)
     @classmethod
     def assemble_sync_database_uri(

tests/ctl/core/config/test_config.py+41 −0 modified

@@ -5,6 +5,7 @@
 import pytest
 from pydantic import ValidationError
 
+from fides.api.db.database import get_alembic_config
 from fides.config import check_required_webserver_config_values, get_config
 from fides.config.database_settings import DatabaseSettings
 from fides.config.redis_settings import RedisSettings
@@ -191,6 +192,46 @@ def test_database_url_test_mode_disabled() -> None:
     )
 
 
+@pytest.mark.unit
+def test_password_escaped_by_database_settings_validation() -> None:
+    database_settings = DatabaseSettings(
+        user="postgres",
+        password="fidesp@ssword",
+        server="fides-db",
+        port="5432",
+        db="database",
+        test_db="test_database",
+    )
+    assert (
+        database_settings.async_database_uri
+        == "postgresql+asyncpg://postgres:fidesp%40ssword@fides-db:5432/test_database"
+    )
+
+    assert (
+        database_settings.sync_database_uri
+        == "postgresql+psycopg2://postgres:fidesp%40ssword@fides-db:5432/test_database"
+    )
+
+    assert (
+        database_settings.sqlalchemy_database_uri
+        == "postgresql://postgres:fidesp%40ssword@fides-db:5432/database"
+    )
+
+    assert (
+        database_settings.sqlalchemy_test_database_uri
+        == "postgresql://postgres:fidesp%40ssword@fides-db:5432/test_database"
+    )
+
+
+def test_get_alembic_config_with_special_char_in_database_url():
+    database_url = (
+        "postgresql+psycopg2://postgres:fidesp%40ssword@fides-db:5432/test_database"
+    )
+    # this would fail with - ValueError: invalid interpolation syntax
+    # if not handled
+    get_alembic_config(database_url)
+
+
 @patch.dict(
     os.environ,
     {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8cm5-jfj2-26q7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-34715ghsaADVISORY
docs.sqlalchemy.org/en/14/core/engines.htmlghsax_refsource_MISCWEB
github.com/ethyca/fides/commit/6ab37b1ffe2b1a3bd35b706a82f78e061086141cghsax_refsource_MISCWEB
github.com/ethyca/fides/security/advisories/GHSA-8cm5-jfj2-26q7ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000