CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-22738 – Improper Preservation of Permissions in vantage6
https://notcve.org/view.php?id=CVE-2023-22738
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0. • https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24 https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh • CWE-281: Improper Preservation of Permissions •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39228 – Observable Response Discrepancy in vantage6
https://notcve.org/view.php?id=CVE-2022-39228
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0. • https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2 https://github.com/vantage6/vantage6/issues/59 https://github.com/vantage6/vantage6/pull/281 https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429 • CWE-203: Observable Discrepancy CWE-204: Observable Response Discrepancy •