Vulnerability Details : CVE-2023-41882
vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-41882
- cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-41882
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-41882
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
GitHub, Inc. |
CWE ids for CVE-2023-41882
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-41882
-
https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r
Improper Access Control in vantage6 · Advisory · vantage6/vantage6 · GitHubThird Party Advisory
-
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
vantage6/docs/release_notes.rst at 0682c4288f43fee5bcc72dc448cdd99bd7e57f76 · vantage6/vantage6 · GitHubRelease Notes
-
https://github.com/vantage6/vantage6/pull/711
Feature/collaboration scope by bartvanb · Pull Request #711 · vantage6/vantage6 · GitHubPatch
Jump to