CVE-2023-23930

Опубликовано: 11 окт. 2023

Источник: nvd

CVSS3: 5.5

CVSS3: 7.2

EPSS Низкий

Описание

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.

Ссылки

https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
Release Notes
https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0
Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6
Vendor Advisory
https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9
Exploit
Permissions Required
Technical Description
Third Party Advisory
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
Release Notes
https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0
Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6
Vendor Advisory
https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9
Exploit
Permissions Required
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

Версия до 4.0.2 (исключая)

EPSS

Процентиль: 72%

0.00729

Низкий

5.5 Medium

CVSS3

7.2 High

CVSS3

Дефекты

CWE-502

Связанные уязвимости

GHSA-5m22-cfq9-86x6

CVSS3: 7.2

github

больше 2 лет назад

Pickle serialization vulnerable to Deserialization of Untrusted Data

EPSS

Процентиль: 72%

0.00729

Низкий

5.5 Medium

CVSS3

7.2 High

CVSS3

Дефекты

CWE-502