CVE-2024-22193

LOW

vantage6 < 4.2.0 - Insecure Storage of Sensitive Information

Title source: llm

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr

Patch x_refsource_misc

https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074

View Patch ZIP pw:eip

Scores

CVSS v3 3.5

EPSS 0.0026

EPSS Percentile 16.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-922

Status published

Products (2)

pypi/vantage6 0 - 4.2.0PyPI

vantage6/vantage6 < 4.2.0

Published Jan 30, 2024

Tracked Since Feb 18, 2026