PT-2023-19304 · Vantage6 · Vantage6

Frankcorneliusmartin

Publicado

2023-10-11

Atualizado

2023-10-13

CVE-2023-23930

CVSS v4.0

8.6

Alta

Vetor

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 4.0.0

Description vantage6 is a privacy-preserving federated learning infrastructure. The issue arises from the use of pickle as the default serialization module, which has known security issues. All users of vantage6 that post tasks with the default serialization are affected. As a workaround, users may specify JSON serialization.

Recommendations For versions prior to 4.0.0, update to version 4.0.0, which contains a patch. As a temporary workaround, consider specifying JSON serialization instead of the default pickle serialization.

Exploit

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2023-23930

GHSA-5M22-CFQ9-86X6

PYSEC-2023-196

Produtos afetados

Vantage6

PT-2023-19304 · Vantage6 · Vantage6

CVE-2023-23930

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 16