CVE-2024-23823

MEDIUM

Vantage6 < 4.2.1 - Incorrect Authorization

Title source: rule

Description

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.

References (2)

[Vendor Advisory] https://github.com/vantage6/vantage6/security/advisories/GHSA-4946-85pr-fvxh

[Patch] https://github.com/vantage6/vantage6/commit/70bb4e1d889230a841eb364d6c03accd7dd01a41

View Patch ZIP pw:eip

Scores

CVSS v3 4.2

EPSS 0.0020

EPSS Percentile 41.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-942 CWE-863

Status published

Products (2)

pypi/vantage6 0 - 4.3.0PyPI

vantage6/vantage6 < 4.2.1

Published Mar 14, 2024

Tracked Since Feb 18, 2026