CVE-2023-41882

2023-10-1120:15:10

CWE-284

CWE-863

[email protected]

web.nvd.nist.gov

cve-2023-41882

vantage6

federated learning

privacy

infrastructure

endpoint

collaboration

permission

vulnerability

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.9%

JSON

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.

Affected configurations

Vulners

NVD

Node

vantage6vantage6Range<4.0.0

VendorProductVersionCPE
vantage6vantage6*cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vantage6	vantage6	*	cpe:2.3:a:vantage6:vantage6::::::::

CNA Affected

[
  {
    "vendor": "vantage6",
    "product": "vantage6",
    "versions": [
      {
        "version": "< 4.0.0",
        "status": "affected"
      }
    ]
  }
]