U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2024-38537 Detail

Description

Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS score
NIST: NVD
Base Score:  N/A
NVD assessment not yet provided.

Nist CVSS score does not match with CNA score
CNA:  GitHub, Inc.
Base Score:  0.0 NONE
Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://fetch.spec.whatwg.org
https://fetch.spec.whatwg.org
https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005
https://github.com/ethyca/fides/commit/868c4d629760572192bd61db34f5a4458ed12005
https://github.com/ethyca/fides/pull/5026
https://github.com/ethyca/fides/pull/5026
https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m
https://github.com/ethyca/fides/security/advisories/GHSA-cvw4-c69g-7v7m
https://sansec.io/research/polyfill-supply-chain-attack
https://sansec.io/research/polyfill-supply-chain-attack

Weakness Enumeration

CWE-ID CWE Name Source
CWE-829 Inclusion of Functionality from Untrusted Control Sphere GitHub, Inc.  

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-38537
NVD Published Date:
07/02/2024
NVD Last Modified:
11/21/2024
Source:
GitHub, Inc.