CVE-2023-41881

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.6 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400	Release Notes
https://github.com/vantage6/vantage6/pull/748	Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6	Third Party Advisory
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400	Release Notes
https://github.com/vantage6/vantage6/pull/748	Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-11 20:15

Updated : 2024-11-21 08:21

NVD link : CVE-2023-41881

Mitre link : CVE-2023-41881

CVE.ORG link : CVE-2023-41881

JSON object : View

Products Affected

vantage6

vantage6

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-708

Incorrect Ownership Assignment

NVD-CWE-noinfo

{"id": "CVE-2023-41881", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 0.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-10-11T20:15:10.617", "references": [{"url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vantage6/vantage6/pull/748", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/vantage6/vantage6/pull/748", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-708"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. Cuando se elimina una colaboraci\u00f3n, se deben eliminar los recursos vinculados (como las tareas de esa colaboraci\u00f3n). Esto es en parte para administrar los datos correctamente, pero tambi\u00e9n para evitar un efecto secundario potencial (pero poco probable) que afecte a las versiones anteriores a la 4.0.0, donde si se elimina una colaboraci\u00f3n con id=10 y posteriormente se crea una nueva colaboraci\u00f3n con id =10, los usuarios autenticados en esa colaboraci\u00f3n podr\u00edan ver los resultados de la colaboraci\u00f3n eliminada en algunos casos. La versi\u00f3n 4.0.0 contiene un parche para este problema. No se conocen workarounds."}], "lastModified": "2024-11-21T08:21:50.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21C07998-FF3A-4F49-B6B7-97E89CB0A6B4", "versionEndExcluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}