CVE-2024-52008: 
Python vulnerability analysis and mitigation

Fides, an open-source privacy engineering platform, was found to contain a vulnerability (CVE-2024-52008) in its user invite acceptance API endpoint. The vulnerability was discovered on November 26, 2024, affecting versions prior to 2.50.0. The issue stems from a lack of server-side password policy enforcement, which allows users to bypass client-side password complexity validation during the initial account setup process (GitHub Advisory).

The vulnerability exists in the /api/v1/user/accept-invite API endpoint, which fails to implement password policy validations on the server side. While the user interface enforces password complexity requirements through client-side validation, these checks can be circumvented by making direct API calls. This allows the creation of accounts with passwords as short as a single character. The vulnerability has been classified as CWE-602 (Client-Side Enforcement of Server-Side Security) and received a CVSS v3.1 score of 5.7 (Medium/Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows invited users to set extremely weak passwords for their own accounts during the initial account setup process. This makes affected accounts susceptible to password guessing or brute force attacks, potentially leading to unauthorized access (GitHub Advisory).

The vulnerability has been patched in Fides version 2.50.0. Users are advised to upgrade to this version or later to secure their systems. No workarounds are available for this vulnerability (GitHub Advisory).