CVE-2024-21649

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd	Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

History

08 Feb 2024, 16:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:vantage6:vantage6::::::::
First Time		Vantage6 vantage6 Vantage6
References	~~() https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd -~~	() https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd - Patch
References	~~() https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx -~~	() https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx - Vendor Advisory
Summary		(es) La tecnología vantage6 permite gestionar e implementar tecnologías que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Antes de 4.2.0, los usuarios autenticados podían inyectar código en variables de entorno de algoritmos, lo que daba como resultado la ejecución remota de código. Esta vulnerabilidad está parcheada en 4.2.0.

30 Jan 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-30 16:15

Updated : 2024-02-08 16:43

NVD link : CVE-2024-21649

Mitre link : CVE-2024-21649

CVE.ORG link : CVE-2024-21649

JSON object : View

Products Affected

vantage6

vantage6

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-21649", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-01-30T16:15:47.653", "references": [{"url": "https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0."}, {"lang": "es", "value": "La tecnolog\u00eda vantage6 permite gestionar e implementar tecnolog\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Antes de 4.2.0, los usuarios autenticados pod\u00edan inyectar c\u00f3digo en variables de entorno de algoritmos, lo que daba como resultado la ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad est\u00e1 parcheada en 4.2.0."}], "lastModified": "2024-02-08T16:43:53.780", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4", "versionEndExcluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}