CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28635 – Defining resource name as integer in vantage6 may give unintended access
https://notcve.org/view.php?id=CVE-2023-28635
11 Oct 2023 — vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowe... • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23930 – vantage6's Pickle serialization is insecure
https://notcve.org/view.php?id=CVE-2023-23930
11 Oct 2023 — vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround. vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23929 – Refresh tokens do not expire in Vantage6
https://notcve.org/view.php?id=CVE-2023-23929
03 Mar 2023 — vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. • https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8 • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-22738 – Improper Preservation of Permissions in vantage6
https://notcve.org/view.php?id=CVE-2023-22738
01 Mar 2023 — vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0. • https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24 • CWE-281: Improper Preservation of Permissions •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39228 – Observable Response Discrepancy in vantage6
https://notcve.org/view.php?id=CVE-2022-39228
01 Mar 2023 — vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0. • https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2 • CWE-203: Observable Discrepancy CWE-204: Observable Response Discrepancy •