CVE-2024-21649
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vantage6 | vantage6 | < 4.2.0 | affected |
Weaknesses
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx
- https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx
- https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.