CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41882 – vantage6 Improper Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-41882
vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 https://github.com/vantage6/vantage6/pull/711 https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41881 – Deleting a collaboration should also delete linked resources
https://notcve.org/view.php?id=CVE-2023-41881
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds. vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 https://github.com/vantage6/vantage6/pull/748 https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-708: Incorrect Ownership Assignment •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28635 – Defining resource name as integer in vantage6 may give unintended access
https://notcve.org/view.php?id=CVE-2023-28635
vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 https://github.com/vantage6/vantage6/pull/744 https://github.com/vantage6/vantage6/security/advisories/GHSA-7x94-6g2m-3hp2 • CWE-863: Incorrect Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23930 – vantage6's Pickle serialization is insecure
https://notcve.org/view.php?id=CVE-2023-23930
vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround. vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0 https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6 https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23929 – Refresh tokens do not expire in Vantage6
https://notcve.org/view.php?id=CVE-2023-23929
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. • https://github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8 https://github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp • CWE-613: Insufficient Session Expiration •