CVE-2024-21671
EUVD-2024-017030.01.2024, 16:15
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| vantage6 | vantage6 | 𝑥 < 4.2.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-208 - Observable Timing DiscrepancyTwo separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
References