CVE-2024-21671
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vantage6 | vantage6 | < 4.2.0 | affected |
Weaknesses
- CWE-208: CWE-208: Observable Timing Discrepancy
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53
- https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53
- https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.