CVE-2024-21649

HIGH

vantage6 < 4.2.0 - Authenticated Remote Code Execution via Algorithm Environment Variables

Title source: llm

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx

Patch x_refsource_misc

https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0127

EPSS Percentile 65.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

pypi/vantage6 0 - 4.2.0PyPI

vantage6/vantage6 < 4.2.0

Published Jan 30, 2024

Tracked Since Feb 18, 2026