cvelistv5 - cve-2023-22738

Source	URL	Tags
security-advisories@github.com	https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24	Patch
security-advisories@github.com	https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh	Vendor Advisory

Vendor	Product
vantage6	vantage6

ghsa-vvjv-97j8-94xh

Vulnerability from github

Published

2023-02-28 23:19

Modified

2023-03-10 18:34

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

vantage6 vulnerable to Improper Preservation of Permissions

Details

Impact

Assigning existing users to a different organization is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access.

Patches

Update to 3.8.0

Workarounds

None

References

None

For more information

If you have any questions or comments about this advisory: * Email us at vantage6@iknl.nl

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-28T23:19:24Z",
    "nvd_published_at": "2023-03-01T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAssigning existing users to a different organization is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access.\n\n### Patches\nUpdate to 3.8.0\n\n### Workarounds\nNone\n\n### References\nNone\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [vantage6@iknl.nl](mailto:vantage6@iknl.nl)\n",
  "id": "GHSA-vvjv-97j8-94xh",
  "modified": "2023-03-10T18:34:20Z",
  "published": "2023-02-28T23:19:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vantage6 vulnerable to Improper Preservation of Permissions"
}

gsd-2023-22738

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0.

Aliases

CVE-2023-22738

Aliases

CVE-2023-22738

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-22738",
    "id": "GSD-2023-22738"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-22738"
      ],
      "details": "vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0.",
      "id": "GSD-2023-22738",
      "modified": "2023-12-13T01:20:42.235895Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-22738",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vantage6",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 3.8.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vantage6"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-281",
                "lang": "eng",
                "value": "CWE-281: Improper Preservation of Permissions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh"
          },
          {
            "name": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-vvjv-97j8-94xh",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.6.1||\u003e=3.7.0,\u003c=3.7.3||==3.8.0",
          "affected_versions": "All versions before 3.6.1, all versions starting from 3.7.0 up to 3.7.3, version 3.8.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-281",
            "CWE-937"
          ],
          "date": "2023-03-10",
          "description": "vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0.",
          "fixed_versions": [
            "3.6.1",
            "3.8.1"
          ],
          "identifier": "GMS-2023-493",
          "identifiers": [
            "CVE-2023-22738",
            "GHSA-vvjv-97j8-94xh",
            "GMS-2023-493"
          ],
          "not_impacted": "All versions starting from 3.6.1 before 3.7.0, all versions after 3.7.3 before 3.8.0, all versions after 3.8.0",
          "package_slug": "pypi/vantage6",
          "pubdate": "2023-03-01",
          "solution": "Upgrade to versions 3.6.1, 3.8.1 or above.",
          "title": "vantage6 vulnerable to Improper Preservation of Permissions",
          "urls": [
            "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh",
            "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24",
            "https://github.com/advisories/GHSA-vvjv-97j8-94xh"
          ],
          "uuid": "b46a0174-1579-4e04-a9f4-23377cf23dc6"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.6.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vantage6:vantage6:3.8.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vantage6:vantage6:3.8.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vantage6:vantage6:3.8.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.7.3",
                "versionStartIncluding": "3.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-22738"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-281"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh"
            },
            {
              "name": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-03-10T17:54Z",
      "publishedDate": "2023-03-01T21:15Z"
    }
  }
}

pysec-2023-53

Vulnerability from pysec

Published

2023-03-01 21:15

Modified

2023-05-04 03:49

Details

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6",
        "purl": "pkg:pypi/vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "798aca1de142a4eca175ef51112e2235642f4f24"
            }
          ],
          "repo": "https://github.com/vantage6/vantage6",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.1"
            },
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.8.0rc3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.0",
        "0.0.0b0",
        "0.0.0b1",
        "0.0.0b3",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a2",
        "1.0.0b10",
        "1.0.0b11",
        "1.0.0b12",
        "1.0.0b13",
        "1.0.0b14",
        "1.0.0b2",
        "1.0.0b3",
        "1.0.0b4",
        "1.0.0b5",
        "1.0.0b6",
        "1.0.0b7",
        "1.0.0b8",
        "1.0.0b9",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.3.post2",
        "2.0.0",
        "2.0.0.post1",
        "2.0.0a1",
        "2.0.0a2",
        "2.0.0a3",
        "2.0.1rc1",
        "2.0.1rc2",
        "2.1.0",
        "2.1.0rc1",
        "2.1.1",
        "2.2.0",
        "2.2.0b1",
        "2.2.0b2",
        "2.2.0b3",
        "2.2.0b4",
        "2.2.1",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9",
        "2.3.0",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.0rc3",
        "2.3.0rc4",
        "2.3.0rc5",
        "2.3.1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.5b1",
        "3.0.0",
        "3.0.0b1",
        "3.0.0b2",
        "3.0.0b3",
        "3.0.0b4",
        "3.0.0b5",
        "3.0.0b6",
        "3.0.0b7",
        "3.0.0b8",
        "3.0.0rc1",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.1.0",
        "3.1.0rc1",
        "3.1.0rc5",
        "3.1.0rc6",
        "3.1.0rc7",
        "3.1.0rc8",
        "3.1.0rc9",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc2",
        "3.2.0rc3",
        "3.2.0rc4",
        "3.2.0rc5",
        "3.3.0",
        "3.3.0a0",
        "3.3.0rc1",
        "3.3.0rc2",
        "3.3.0rc3",
        "3.3.0rc4",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.3.4",
        "3.3.5",
        "3.3.6",
        "3.3.7",
        "3.3.7a2",
        "3.3.7a3",
        "3.3.8a1",
        "3.3.8a2",
        "3.3.8a4",
        "3.3.8a5",
        "3.3.8a6",
        "3.3.8a7",
        "3.3.8a8",
        "3.4.0",
        "3.4.0a1",
        "3.4.0a2",
        "3.4.0a3",
        "3.4.0a6",
        "3.4.1",
        "3.4.1a0",
        "3.4.1a1",
        "3.4.1a2",
        "3.4.1a3",
        "3.4.2",
        "3.4.2a0",
        "3.4.3",
        "3.5.0",
        "3.5.0rc1",
        "3.5.0rc2",
        "3.5.0rc3",
        "3.5.1",
        "3.5.2",
        "3.6.0",
        "3.6.1rc1",
        "3.6.1rc2",
        "3.6.1rc3",
        "3.7.0",
        "3.7.1",
        "3.7.2",
        "3.7.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22738",
    "GHSA-vvjv-97j8-94xh"
  ],
  "details": "vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access. This issue is patched in version 3.8.0.",
  "id": "PYSEC-2023-53",
  "modified": "2023-05-04T03:49:48.592158Z",
  "published": "2023-03-01T21:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24"
    }
  ]
}

Action not permitted

cve-2023-22738

Vulnerability from cvelistv5

ghsa-vvjv-97j8-94xh

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

gsd-2023-22738

Vulnerability from gsd

pysec-2023-53

Vulnerability from pysec

Tags