5 matches found
vantage6-algorithm-store (>=4.10.0 <=4.15.1rc1), vantage6-node (>=0.0.0 <=4.15.1rc1) +1 more potentially affected by CVE-2024-24770 via vantage6 (>=0.0.0 <=4.2.3)
vantage6 PYPI version =0.0.0, =4.10.0, =0.0.0, =0.0.0, =4.15.1rc1 Source cves: CVE-2024-24770 Source advisory: OSV:GHSA-5H3X-6GWF-73JM...
CVE-2024-24770
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost and /2fa/lost...
CVE-2024-24770 Username timing attack on recover password/MFA token in vantage6
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost and /2fa/lost...
CVE-2024-24770
Vantage6 exposes two API endpoints, /recover/lost and /2fa/lost, which allow an attacker to enumerate existing usernames via recovery-email behavior or timing differences. Root cause: inadequate access controls on recovery utilities leading to user enumeration. Impact: potential targeted credenti...
CVE-2024-24770 Username timing attack on recover password/MFA token in vantage6
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost and /2fa/lost...