CVE-2024-21649

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution.  This vulnerability is patched in 4.2.0.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
vantage6vantage6
𝑥
< 4.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd
https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx
https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd
https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx