CVE-2023-41881 - OpenCVE

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vantage6	Vantage6

Configuration 1 [-]

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
https://github.com/vantage6/vantage6/pull/748
https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-11T19:30:43.808Z

Updated: 2024-09-17T14:02:51.483Z

Reserved: 2023-09-04T16:31:48.224Z

Link: CVE-2023-41881

Vulnrichment

Updated: 2024-08-02T19:09:49.296Z

NVD

Status : Analyzed

Published: 2023-10-11T20:15:10.617

Modified: 2023-10-18T02:24:31.603

Link: CVE-2023-41881

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-04T16:31:48.224Z", "datePublished": "2023-10-11T19:30:43.808Z", "dateUpdated": "2024-09-17T14:02:51.483Z"}, "containers": {"cna": {"title": "Deleting a collaboration should also delete linked resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-708", "lang": "en", "description": "CWE-708: Incorrect Ownership Assignment", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6"}, {"name": "https://github.com/vantage6/vantage6/pull/748", "tags": ["x_refsource_MISC"], "url": "https://github.com/vantage6/vantage6/pull/748"}, {"name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}], "affected": [{"vendor": "vantage6", "product": "vantage6", "versions": [{"version": "< 4.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T19:30:43.808Z"}, "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds."}], "source": {"advisory": "GHSA-rf54-7qrr-96j6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.296Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6"}, {"name": "https://github.com/vantage6/vantage6/pull/748", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vantage6/vantage6/pull/748"}, {"name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T13:49:13.313630Z", "id": "CVE-2023-41881", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T14:02:51.483Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-04T16:31:48.224Z", "datePublished": "2023-10-11T19:30:43.808Z", "dateUpdated": "2024-09-17T14:02:51.483Z"}, "containers": {"cna": {"title": "Deleting a collaboration should also delete linked resources", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-708", "lang": "en", "description": "CWE-708: Incorrect Ownership Assignment", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6"}, {"name": "https://github.com/vantage6/vantage6/pull/748", "tags": ["x_refsource_MISC"], "url": "https://github.com/vantage6/vantage6/pull/748"}, {"name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}], "affected": [{"vendor": "vantage6", "product": "vantage6", "versions": [{"version": "< 4.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T19:30:43.808Z"}, "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds."}], "source": {"advisory": "GHSA-rf54-7qrr-96j6", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.296Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6"}, {"name": "https://github.com/vantage6/vantage6/pull/748", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vantage6/vantage6/pull/748"}, {"name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T13:49:13.313630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T14:02:46.195Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*", "matchCriteriaId": "21C07998-FF3A-4F49-B6B7-97E89CB0A6B4", "versionEndExcluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. Cuando se elimina una colaboraci\u00f3n, se deben eliminar los recursos vinculados (como las tareas de esa colaboraci\u00f3n). Esto es en parte para administrar los datos correctamente, pero tambi\u00e9n para evitar un efecto secundario potencial (pero poco probable) que afecte a las versiones anteriores a la 4.0.0, donde si se elimina una colaboraci\u00f3n con id=10 y posteriormente se crea una nueva colaboraci\u00f3n con id =10, los usuarios autenticados en esa colaboraci\u00f3n podr\u00edan ver los resultados de la colaboraci\u00f3n eliminada en algunos casos. La versi\u00f3n 4.0.0 contiene un parche para este problema. No se conocen workarounds."}], "id": "CVE-2023-41881", "lastModified": "2023-10-18T02:24:31.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-11T20:15:10.617", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vantage6/vantage6/pull/748"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-708"}], "source": "security-advisories@github.com", "type": "Secondary"}]}