CVE-2023-47631

Name of the Vulnerable Software and Affected Versions vantage6 versions prior to 4.1.2

Description The issue arises when a node does not check if an image is allowed to run if a parent id is set. A malicious party that breaches the server may modify it to set a fake parent id and send a task of a non-whitelisted algorithm. The node will then execute it because the parent id that is set prevents checks from being run. This impacts all servers that are breached by an expert user.

Recommendations For versions prior to 4.1.2, upgrade to version 4.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the node to minimize the risk of exploitation. Avoid using the parent id parameter in a way that could allow a malicious party to set a fake parent id and execute non-whitelisted algorithms.