Frankcorneliusmartin

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.0.0 **Description** vantage6 is a privacy-preserving federated learning infrastructure. The issue arises from the use of `pickle` as the default serialization module, which has known security issues. All users of vantage6 that post tasks with the default serialization are affected. As a workaround, users may specify JSON serialization. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0, which contains a patch. As a temporary workaround, consider specifying JSON serialization instead of the default `pickle` serialization.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.0.0 **Description** The issue affects vantage6, a privacy-preserving federated learning infrastructure. Malicious users may attempt to access resources they are not allowed to see by creating resources with integers as names. This can lead to issues, for example, when defining which users are allowed to run algorithms on their node, where the definition may be based on `username` or `user id`. If a user with `user id` 13 is allowed to run tasks and an attacker creates a `username` '13', the attacker would be wrongly allowed to run an algorithm. There may be other places in the code where such a mixup of resource ID or name leads to issues. **Recommendations** To resolve the issue, update to version 4.0.0 or later, as it contains a patch for this issue. As a temporary workaround, consider checking when resources are created or modified to ensure the resource name always starts with a character.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.0.0 **Description** vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources, such as tasks from that collaboration, should be deleted to manage data properly and prevent a potential side-effect. This side-effect could allow authenticated users in a new collaboration to see results of a deleted collaboration if the new collaboration has the same id as the deleted one. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to collaborations and their linked resources to minimize the risk of information disclosure until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 4.0.0 **Description** vantage6 is privacy preserving federated learning infrastructure. The endpoint "/api/collaboration/{id}/task" is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/collaboration/{id}/task" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 3.8.0 **Description** The issue concerns a privacy-preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organization is currently possible, which may lead to unintended access. If a user from one organization is accidentally assigned to another, they will retain their permissions and might be able to access data they should not be allowed to access. **Recommendations** For versions prior to 3.8.0, update to version 3.8.0 to resolve the issue. As a temporary workaround, consider restricting user assignments to prevent accidental transfers between organizations until the update is applied.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 3.8.0 **Description** The issue concerns the refresh token in vantage6, a privacy-preserving federated learning infrastructure, which is currently valid indefinitely. This is considered bad security practice. The refresh token should have a validity period of 24-48 hours. **Recommendations** For versions prior to 3.8.0, update to version 3.8.0 to resolve the issue. As a temporary workaround, consider implementing a periodic token refresh mechanism to minimize the risk of exploitation. Additionally, restrict access to the refresh token and adapt the UI to log out when the refresh token is no longer valid. Ensure that nodes refresh their tokens periodically to avoid manual restarts.

**Name of the Vulnerable Software and Affected Versions** vantage6 versions prior to 3.8.0 **Description** vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. It does not inform the user of wrong username/password combination if the username actually exists, in an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. **Recommendations** Update to version 3.8.0 or later to resolve the issue. As a temporary workaround, consider restricting the number of login attempts to minimize the risk of exploitation.