CVE-2023-41882

Опубликовано: 11 окт. 2023

Источник: nvd

CVSS3: 5.4

CVSS3: 4.3

EPSS Низкий

Описание

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.

Ссылки

https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
Release Notes
https://github.com/vantage6/vantage6/pull/711
Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r
Third Party Advisory
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
Release Notes
https://github.com/vantage6/vantage6/pull/711
Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

Версия до 4.0.0 (исключая)

EPSS

Процентиль: 35%

0.00145

Низкий

5.4 Medium

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-gc57-xhh5-m94r

CVSS3: 5.4

github

больше 2 лет назад

Improper Access Control in vantage6

EPSS

Процентиль: 35%

0.00145

Низкий

5.4 Medium

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-284