8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.8%
A node does not check if an image is allowed to run if a parent_id
is set. A malicious party that breaches the server may modify it to set a fake parent_id
and send a task of a non-whitelisted algorithm. The node will then execute it because the parent_id
that is set prevents checks from being run. Relevant node code here
This impacts all servers that are breached by an expert user
Fixed in v4.1.2
None
github.com/vantage6/vantage6
github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268
github.com/vantage6/vantage6/commit/bf83521eb12fa80aa5fc92ef1692010a9a7f8243
github.com/vantage6/vantage6/security/advisories/GHSA-vc3v-ppc7-v486
nvd.nist.gov/vuln/detail/CVE-2023-47631
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.8%