CVE-2023-23929

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 3.8.0

Description The issue concerns the refresh token in vantage6, a privacy-preserving federated learning infrastructure, which is currently valid indefinitely. This is considered bad security practice. The refresh token should have a validity period of 24-48 hours.

Recommendations For versions prior to 3.8.0, update to version 3.8.0 to resolve the issue. As a temporary workaround, consider implementing a periodic token refresh mechanism to minimize the risk of exploitation. Additionally, restrict access to the refresh token and adapt the UI to log out when the refresh token is no longer valid. Ensure that nodes refresh their tokens periodically to avoid manual restarts.