CVE-2023-41882

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 4.0.0

Description vantage6 is privacy preserving federated learning infrastructure. The endpoint "/api/collaboration/{id}/task" is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration.

Recommendations For versions prior to 4.0.0, update to version 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/collaboration/{id}/task" endpoint until the update is applied.

Exploit

Fix

Incorrect Authorization

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-284

Related Identifiers

CVE-2023-41882

GHSA-GC57-XHH5-M94R

PYSEC-2023-201

Affected Products

Vantage6

CVE-2023-41882

Weakness Enumeration

Related Identifiers

Affected Products

References · 16