CVE-2025-57817

Sažetak

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.

Reference

https://github.com/ethyca/fides/commit/2ffd125e1089a09b84c27fb5279a05960cbf2452
https://github.com/ethyca/fides/releases/tag/2.69.1
https://github.com/ethyca/fides/security/advisories/GHSA-hjfh-p8f5-24wr

CVSS

Base:	7.2
Impact:	5.9
Exploitability:	1.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	HIGH

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

10-09-2025 - 18:41

Objavljeno

08-09-2025 - 22:15