CVE-2023-28635

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 4.0.0

Description The issue affects vantage6, a privacy-preserving federated learning infrastructure. Malicious users may attempt to access resources they are not allowed to see by creating resources with integers as names. This can lead to issues, for example, when defining which users are allowed to run algorithms on their node, where the definition may be based on username or user id. If a user with user id 13 is allowed to run tasks and an attacker creates a username '13', the attacker would be wrongly allowed to run an algorithm. There may be other places in the code where such a mixup of resource ID or name leads to issues.

Recommendations To resolve the issue, update to version 4.0.0 or later, as it contains a patch for this issue. As a temporary workaround, consider checking when resources are created or modified to ensure the resource name always starts with a character.