CVE-2023-41882 - Vulnerability Details - OpenCVE

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00145.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Vantage6	Vantage6

Configuration 1 [-]

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0259	vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.
Github GHSA	GHSA-gc57-xhh5-m94r	Improper Access Control in vantage6

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
https://github.com/vantage6/vantage6/pull/711
https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r

History

Wed, 18 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-11T19:48:44.606Z

Updated: 2024-09-17T14:01:08.232Z

Reserved: 2023-09-04T16:31:48.224Z

Link: CVE-2023-41882

Vulnrichment

Updated: 2024-08-02T19:09:49.281Z

NVD

Status : Modified

Published: 2023-10-11T20:15:10.700

Modified: 2024-11-21T08:21:50.793

Link: CVE-2023-41882

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41882", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-04T16:31:48.224Z", "datePublished": "2023-10-11T19:48:44.606Z", "dateUpdated": "2024-09-17T14:01:08.232Z"}, "containers": {"cna": {"title": "vantage6 Improper Access Control vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r"}, {"name": "https://github.com/vantage6/vantage6/pull/711", "tags": ["x_refsource_MISC"], "url": "https://github.com/vantage6/vantage6/pull/711"}, {"name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}], "affected": [{"vendor": "vantage6", "product": "vantage6", "versions": [{"version": "< 4.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T19:48:44.606Z"}, "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds."}], "source": {"advisory": "GHSA-gc57-xhh5-m94r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.281Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r"}, {"name": "https://github.com/vantage6/vantage6/pull/711", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vantage6/vantage6/pull/711"}, {"name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T13:46:12.859118Z", "id": "CVE-2023-41882", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T14:01:08.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r", "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/vantage6/vantage6/pull/711", "name": "https://github.com/vantage6/vantage6/pull/711", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.281Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41882", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T13:46:12.859118Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T14:01:03.452Z"}}], "cna": {"title": "vantage6 Improper Access Control vulnerability", "source": {"advisory": "GHSA-gc57-xhh5-m94r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vantage6", "product": "vantage6", "versions": [{"status": "affected", "version": "< 4.0.0"}]}], "references": [{"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r", "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vantage6/vantage6/pull/711", "name": "https://github.com/vantage6/vantage6/pull/711", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-11T19:48:44.606Z"}}}, "cveMetadata": {"cveId": "CVE-2023-41882", "state": "PUBLISHED", "dateUpdated": "2024-09-17T14:01:08.232Z", "dateReserved": "2023-09-04T16:31:48.224Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-11T19:48:44.606Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*", "matchCriteriaId": "21C07998-FF3A-4F49-B6B7-97E89CB0A6B4", "versionEndExcluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds."}, {"lang": "es", "value": "vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. El endpoint /api/collaboration/{id}/task se utiliza para recopilar todas las tareas de una determinada colaboraci\u00f3n. Para realizar dichas tareas, un usuario debe tener permiso para ver la colaboraci\u00f3n y las tareas que contiene. Sin embargo, antes de la versi\u00f3n 4.0.0, solo se verifica si el usuario tiene permiso para ver la colaboraci\u00f3n. La versi\u00f3n 4.0.0 contiene un parche. No se conocen workarounds."}], "id": "CVE-2023-41882", "lastModified": "2024-11-21T08:21:50.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-11T20:15:10.700", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vantage6/vantage6/pull/711"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/vantage6/vantage6/pull/711"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}