CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32969 – vantage6 collaboration admins can extend their influence by expanding the collaboration
https://notcve.org/view.php?id=CVE-2024-32969
23 May 2024 — vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know the passwords, and use that to read task results of other collaborations that that organization is involved in. This is only relatively trusted users - with access to manage a collaboration - are able to do this, which reduces the im... • https://github.com/vantage6/vantage6/commit/27f4ee3fade5f4cbcf3e60899c9a2a91145e0b56 • CWE-284: Improper Access Control •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23823 – CORS settings overly permissive in vantage6
https://notcve.org/view.php?id=CVE-2024-23823
14 Mar 2024 — vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. • https://github.com/vantage6/vantage6/commit/70bb4e1d889230a841eb364d6c03accd7dd01a41 • CWE-863: Incorrect Authorization CWE-942: Permissive Cross-domain Policy with Untrusted Domains •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24770 – Username timing attack on recover password/MFA token in vantage6
https://notcve.org/view.php?id=CVE-2024-24770
14 Mar 2024 — vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`. These routes send emails to users if they have lost their password or MFA token. This issue has been addressed in commit `aecfd6d0e` and is expected to ship in subsequent releases. Users are advised to upgrade... • https://github.com/vantage6/vantage6/commit/aecfd6d0e83165a41a60ebd52d2287b0217be26b • CWE-208: Observable Timing Discrepancy CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22193 – vantage6 unencrypted task can be created in encrypted collaboration
https://notcve.org/view.php?id=CVE-2024-22193
30 Jan 2024 — The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0. • https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21671 – vantage6 username timing attack
https://notcve.org/view.php?id=CVE-2024-21671
30 Jan 2024 — The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability. La tecnología vantage6 permite gestionar e implementar tecnologías que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). • https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21653 – vantage6 insecure SSH configuration for node and server containers
https://notcve.org/view.php?id=CVE-2024-21653
30 Jan 2024 — The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the dock... • https://github.com/vantage6/vantage6/commit/3fcc6e6a8bd1142fd7a558d8fdd2b246e55c8841 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21649 – Remote code execution
https://notcve.org/view.php?id=CVE-2024-21649
30 Jan 2024 — The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0. La tecnología vantage6 permite gestionar e implementar tecnologías que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Antes de 4.2.0, los usuarios auten... • https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47631 – vantage6 Node accepts non-whitelisted algorithms from malicious server
https://notcve.org/view.php?id=CVE-2023-47631
14 Nov 2023 — vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. This impacts all servers that are breached by... • https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41882 – vantage6 Improper Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-41882
11 Oct 2023 — vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41881 – Deleting a collaboration should also delete linked resources
https://notcve.org/view.php?id=CVE-2023-41881
11 Oct 2023 — vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the delet... • https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-708: Incorrect Ownership Assignment •