CVE-2024-21671

LOW

vantage6 < 4.2.0 - Observable Timing Discrepancy in Login Response

Title source: llm

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53

Patch x_refsource_misc

https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30

View Patch ZIP pw:eip

Scores

CVSS v3 3.7

EPSS 0.0040

EPSS Percentile 31.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-208 CWE-203

Status published

Products (2)

pypi/vantage6-server 0 - 4.2.0PyPI

vantage6/vantage6 < 4.2.0

Published Jan 30, 2024

Tracked Since Feb 18, 2026