Lucene search

GitHub Advisory DatabaseGHSA-99R4-CJP4-3HMX

HistoryMay 22, 2024 - 3:49 p.m.

vantage6 collaboration admins can extend their influence by expanding the collaboration

2024-05-2215:49:14

CWE-284

GitHub Advisory Database

github.com

vantage6

collaboration

admins

extend

influence

extra organizations

create new users

passwords

access

task results

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Impact

Collaboration administrators can add extra organizations to their collaboration. When doing that, they extend their influence: for instance, for organizations that they include, they can then create new users for which they know the passwords, and use that to read task results of other collaborations that that organization is involved in.

Only relatively trusted users - with access to manage a collaboration - are able to do this, which reduces the impact.

Patches

Workarounds

Affected configurations

Vulners

Node

github_advisory_databasevantage6Range<4.5.0rc3

CPENameOperatorVersion
vantage6lt4.5.0rc3

CPE	Name	Operator	Version
	vantage6	lt	4.5.0rc3

References

github.com/advisories/GHSA-99r4-cjp4-3hmx

github.com/vantage6/vantage6/commit/27f4ee3fade5f4cbcf3e60899c9a2a91145e0b56

github.com/vantage6/vantage6/security/advisories/GHSA-99r4-cjp4-3hmx

nvd.nist.gov/vuln/detail/CVE-2024-32969

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for GHSA-99R4-CJP4-3HMX