CVE-2024-22193

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074	Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

History

08 Feb 2024, 16:41

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~3.5~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:vantage6:vantage6::::::::
References	~~() https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074 -~~	() https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074 - Patch
References	~~() https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr -~~	() https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr - Vendor Advisory
First Time		Vantage6 vantage6 Vantage6

30 Jan 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-30 16:15

Updated : 2024-02-08 16:41

NVD link : CVE-2024-22193

Mitre link : CVE-2024-22193

CVE.ORG link : CVE-2024-22193

JSON object : View

Products Affected

vantage6

vantage6

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-22193", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2024-01-30T16:15:48.310", "references": [{"url": "https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0."}, {"lang": "es", "value": "La tecnolog\u00eda vantage6 permite gestionar e implementar tecnolog\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). No se comprueba si la entrada est\u00e1 cifrada si se crea una tarea en una colaboraci\u00f3n cifrada. Por lo tanto, un usuario puede crear accidentalmente una tarea con datos de entrada confidenciales que luego se almacenar\u00e1n sin cifrar en una base de datos. Los usuarios deben asegurarse de configurar correctamente la configuraci\u00f3n de cifrado. Esta vulnerabilidad est\u00e1 parcheada en 4.2.0."}], "lastModified": "2024-02-08T16:41:38.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4", "versionEndExcluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}