PT-2023-19304 · Vantage6 · Vantage6

Frankcorneliusmartin

Published

2023-10-11

Updated

2023-10-13

CVE-2023-23930

CVSS v4.0

8.6

High

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 4.0.0

Description vantage6 is a privacy-preserving federated learning infrastructure. The issue arises from the use of pickle as the default serialization module, which has known security issues. All users of vantage6 that post tasks with the default serialization are affected. As a workaround, users may specify JSON serialization.

Recommendations For versions prior to 4.0.0, update to version 4.0.0, which contains a patch. As a temporary workaround, consider specifying JSON serialization instead of the default pickle serialization.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2023-23930

GHSA-5M22-CFQ9-86X6

PYSEC-2023-196

Affected Products

Vantage6

PT-2023-19304 · Vantage6 · Vantage6

CVE-2023-23930

Weakness Enumeration

Related Identifiers

Affected Products

References · 16