Fides Privilege Escalation Vulnerability via OAuth Scope Mismanagement

A privilege escalation vulnerability has been identified in the Fides Webserver API's OAuth client management endpoints, prior to version 2.69.1. The issue arises because these endpoints do not properly validate the assignment of scopes. As a result, users with high-level permissions to create or update OAuth clients can assign themselves owner-level privileges. This oversight allows them to access sensitive functions such as user management and system configuration, which should be restricted.

Impact

Exploitation of this vulnerability allows users with contributor-level access to gain owner-equivalent privileges, enabling them to manage users, alter system settings, and assign permissions that could disrupt normal operations.

Reproduction

The vulnerability can be reproduced by a user with 'client:create' or 'client:update' permissions. This user can create or update an OAuth client and assign scopes that they do not actually possess, thereby escalating their privileges to an owner level.

Remediation

Users are advised to upgrade to Fides version 2.69.1 or later, where this vulnerability has been patched.