CVE-2024-21671

LOW

vantage6 <4.2.0 - Info Disclosure

Title source: llm

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.

References (2)

[Vendor Advisory] https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53

[Patch] https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30

View Patch ZIP pw:eip

Scores

CVSS v3 3.7

EPSS 0.0022

EPSS Percentile 44.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-208 CWE-203

Status published

Products (2)

pypi/vantage6-server 0 - 4.2.0PyPI

vantage6/vantage6 < 4.2.0

Published Jan 30, 2024

Tracked Since Feb 18, 2026