CVE-2024-38537
"Fides Polyfill.io Client-Side Script Executable Code Injection Vulnerability"
Description
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
INFO
Published Date :
July 2, 2024, 8:15 p.m.
Last Modified :
Nov. 21, 2024, 9:26 a.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
0.0
Exploitability Score :
3.9
Public PoC/Exploit Available at Github
CVE-2024-38537 has a 1 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-38537.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Here's a Python script that checks if the polyfill.io domain is present in the Content Security Policy (CSP) header of a given web application.
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-38537 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-38537 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://fetch.spec.whatwg.org Added Reference https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 Added Reference https://github.com/ethyca/fides/pull/5026 Added Reference https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m Added Reference https://sansec.io/research/polyfill-supply-chain-attack -
CVE Received by [email protected]
Jul. 02, 2024
Action Type Old Value New Value Added Description Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. Added Reference GitHub, Inc. https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m [No types assigned] Added Reference GitHub, Inc. https://github.com/ethyca/fides/pull/5026 [No types assigned] Added Reference GitHub, Inc. https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005 [No types assigned] Added Reference GitHub, Inc. https://fetch.spec.whatwg.org [No types assigned] Added Reference GitHub, Inc. https://sansec.io/research/polyfill-supply-chain-attack [No types assigned] Added CWE GitHub, Inc. CWE-829 Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-38537 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-38537
weaknesses.