Lucene search

[email protected]NVD:CVE-2023-23930

HistoryOct 11, 2023 - 6:15 p.m.

CVE-2023-23930

2023-10-1118:15:10

CWE-502

[email protected]

web.nvd.nist.gov

cve-2023-23930

vantage6

privacy preserving

federated learning

infrastructure

pickle serialization

security issue

json serialization

patch

workaround

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.

Affected configurations

Nvd

Node

vantage6vantage6Range<4.0.2

VendorProductVersionCPE
vantage6vantage6*cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vantage6	vantage6	*	cpe:2.3:a:vantage6:vantage6::::::::

References

github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400

github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0

github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6

medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

Related for NVD:CVE-2023-23930

veracode1 cve1 vulnrichment1 osv3 prion1 cvelist1 github1