Bartvanb

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.11 **Description** The issue concerns an open-source framework designed for privacy-enhancing technologies such as Federated Learning and Multi-Party Computation. If an attacker gains access to an authenticated session, they can exploit the change password functionality to brute-force the user password. This is possible because the change password route can be called infinitely, providing feedback on incorrect passwords until the correct one is entered. **Recommendations** For versions prior to 4.11, update to version 4.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.11.0 **Description** The vantage6 server has a predictable JWT secret key generation issue. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This issue affects the privacy-preserving analysis functionality of the vantage6 infrastructure. **Recommendations** For versions prior to 4.11.0, update to version 4.11.0 to resolve the issue. As a temporary workaround, consider defining a custom JWT secret key to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vantage6-UI (affected versions not specified) **Description** The issue is related to the absence of certain security headers in the vantage6-UI, which is the official user interface for the vantage6 server. This problem has been addressed in a specific commit, and users are advised to upgrade when a new release is made. As a temporary measure, users can modify the Docker image build to insert the necessary headers into nginx. **Recommendations** For all affected versions, users are advised to upgrade to a newer version when it is released. As a temporary workaround, consider modifying the Docker image build to insert the necessary security headers into nginx.

**Name of the Vulnerable Software and Affected Versions** vantage6 (affected versions not specified) **Description** The vantage6 server has no restrictions on CORS settings, which should be configurable to set allowed origins. The impact is limited because v6 does not use session cookies. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.2.0 **Description** The vantage6 technology is used to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Authenticated users could inject code into algorithm environment variables, resulting in remote code execution. **Recommendations** For versions prior to 4.2.0, update to version 4.2.0 to resolve the issue. As a temporary workaround, consider restricting access to algorithm environment variables to prevent code injection until the update is applied.

**Name of the Vulnerable Software and Affected Versions** vantage6 (affected versions not specified) **Description** The issue allows attackers to determine which usernames exist in vantage6 by calling the API routes "/recover/lost" and "/2fa/lost", which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. This could aid attackers in credential attacks. **Recommendations** As a temporary workaround, consider restricting access to the API routes "/recover/lost" and "/2fa/lost" until a patch is available. Upgrade to a new release as soon as it is available, as the issue has been addressed in commit `aecfd6d0e` and is expected to ship in subsequent releases.

**Name of the Vulnerable Software and Affected Versions** vantage6-UI versions prior to 4.2.0 **Description** The issue is related to insufficient protection of service data in the vantage6-UI interface, which can allow a remote attacker to gain unauthorized access to protected information. The docker image used to run the UI leaks the nginx version. **Recommendations** For versions prior to 4.2.0, to mitigate the vulnerability, users can run the UI as an angular application. At the moment, there is no other information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.2.0 **Description** The vantage6 technology is used to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). By default, nodes and servers receive an ssh config that permits root login with password authentication. Although a proper deployment should not expose the SSH service, not all deployments are ideal, and the default configuration should be less permissive. **Recommendations** For versions prior to 4.2.0, remove the ssh part from the docker file and rebuild the docker image as a mitigation measure. For version 4.2.0 and later, no action is required as this version patches the vulnerability.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.2.0 **Description** The vantage6 technology is used to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests, which could aid attackers in credential attacks. **Recommendations** For versions prior to 4.2.0, update to version 4.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.1.2 **Description** The issue arises when a node does not check if an image is allowed to run if a `parent id` is set. A malicious party that breaches the server may modify it to set a fake `parent id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent id` that is set prevents checks from being run. This impacts all servers that are breached by an expert user. **Recommendations** For versions prior to 4.1.2, upgrade to version 4.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the node to minimize the risk of exploitation. Avoid using the `parent id` parameter in a way that could allow a malicious party to set a fake `parent id` and execute non-whitelisted algorithms.