Lucene search

GitHub_MCVELIST:CVE-2023-23929

HistoryMar 03, 2023 - 11:37 p.m.

CVE-2023-23929 Refresh tokens do not expire in Vantage6

2023-03-0323:37:50

CWE-613

GitHub_M

www.cve.org

cve-2023-23929

refresh token

vantage6

privacy preserving

federated learning

security fix

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

43.3%

JSON

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0.

CNA Affected

[
  {
    "vendor": "vantage6",
    "product": "vantage6",
    "versions": [
      {
        "version": "< 3.8.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/vantage6/vantage6/commit/48ebfca42359e9a6743e9598684585e2522cdce8

github.com/vantage6/vantage6/security/advisories/GHSA-4w59-c3gc-rrhp

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

43.3%

JSON

Related for CVELIST:CVE-2023-23929