CVE-2023-28635

MEDIUM

vantage6 < 4.0.0 - Incorrect Authorization via Integer Resource Name

Title source: llm

Description

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vantage6/vantage6/security/advisories/GHSA-7x94-6g2m-3hp2

Patch x_refsource_misc

https://github.com/vantage6/vantage6/pull/744

Release Notes x_refsource_misc

https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400

View Writeup ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0040

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

pypi/vantage6 0 - 4.0.0PyPI

vantage6/vantage6 < 4.0.0

Published Oct 11, 2023

Tracked Since Feb 18, 2026