cvelistv5 - cve-2023-23930

CVE-2023-23930 (GCVE-0-2023-23930)

Vulnerability from cvelistv5 – Published: 2023-10-11 17:39 – Updated: 2024-09-18 15:22

Summary

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/vantage6/vantage6/security/adv…	x_refsource_CONFIRM
	https://github.com/vantage6/vantage6/commit/e62f0…	x_refsource_MISC
	https://github.com/vantage6/vantage6/blob/0682c42…	x_refsource_MISC
	https://medium.com/ochrona/python-pickle-is-notor…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vantage6	vantage6	Affected: < 4.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:42:27.163Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
          },
          {
            "name": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
          },
          {
            "name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
          },
          {
            "name": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23930",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T15:02:52.046576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T15:22:09.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vantage6",
          "vendor": "vantage6",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-11T18:50:53.413Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
        },
        {
          "name": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
        },
        {
          "name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
        },
        {
          "name": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
        }
      ],
      "source": {
        "advisory": "GHSA-5m22-cfq9-86x6",
        "discovery": "UNKNOWN"
      },
      "title": "vantage6\u0027s Pickle serialization is insecure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-23930",
    "datePublished": "2023-10-11T17:39:23.504Z",
    "dateReserved": "2023-01-19T21:12:31.360Z",
    "dateUpdated": "2024-09-18T15:22:09.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.0.2\", \"matchCriteriaId\": \"2D0FAD5D-F686-426B-9539-38F6F036D97B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.\"}, {\"lang\": \"es\", \"value\": \"vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. Las versiones anteriores a la 4.0.0 usan pickle, que tiene problemas de seguridad conocidos, como m\\u00f3dulo de serializaci\\u00f3n predeterminado pero que tiene problemas de seguridad conocidos. Todos los usuarios de vantage6 que publican tareas con la serializaci\\u00f3n predeterminada se ven afectados. La versi\\u00f3n 4.0.0 contiene un parche. Los usuarios pueden especificar la serializaci\\u00f3n JSON como workaround.\"}]",
      "id": "CVE-2023-23930",
      "lastModified": "2024-11-21T07:47:07.430",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 4.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}]}",
      "published": "2023-10-11T18:15:10.037",
      "references": "[{\"url\": \"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Permissions Required\", \"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Permissions Required\", \"Technical Description\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23930\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-11T18:15:10.037\",\"lastModified\":\"2024-11-21T07:47:07.430\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.\"},{\"lang\":\"es\",\"value\":\"vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. Las versiones anteriores a la 4.0.0 usan pickle, que tiene problemas de seguridad conocidos, como m\u00f3dulo de serializaci\u00f3n predeterminado pero que tiene problemas de seguridad conocidos. Todos los usuarios de vantage6 que publican tareas con la serializaci\u00f3n predeterminada se ven afectados. La versi\u00f3n 4.0.0 contiene un parche. Los usuarios pueden especificar la serializaci\u00f3n JSON como workaround.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.0.2\",\"matchCriteriaId\":\"2D0FAD5D-F686-426B-9539-38F6F036D97B\"}]}]}],\"references\":[{\"url\":\"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Permissions Required\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Permissions Required\",\"Technical Description\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\", \"name\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\", \"name\": \"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\", \"name\": \"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\", \"name\": \"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:42:27.163Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23930\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-18T15:02:52.046576Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-18T15:22:02.391Z\"}}], \"cna\": {\"title\": \"vantage6\u0027s Pickle serialization is insecure\", \"source\": {\"advisory\": \"GHSA-5m22-cfq9-86x6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"vantage6\", \"product\": \"vantage6\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\", \"name\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\", \"name\": \"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\", \"name\": \"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\", \"name\": \"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-10-11T18:50:53.413Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-23930\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-18T15:22:09.610Z\", \"dateReserved\": \"2023-01-19T21:12:31.360Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-10-11T17:39:23.504Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-23930

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-23930

Aliases

CVE-2023-23930

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-23930",
    "id": "GSD-2023-23930"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-23930"
      ],
      "details": "vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.",
      "id": "GSD-2023-23930",
      "modified": "2023-12-13T01:20:49.502709Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-23930",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vantage6",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vantage6"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502: Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
          },
          {
            "name": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
          },
          {
            "name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
          },
          {
            "name": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9",
            "refsource": "MISC",
            "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5m22-cfq9-86x6",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.0.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-23930"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Permissions Required",
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
            },
            {
              "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
            },
            {
              "name": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
            },
            {
              "name": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-10-13T21:27Z",
      "publishedDate": "2023-10-11T18:15Z"
    }
  }
}

PYSEC-2023-196

Vulnerability from pysec - Published: 2023-10-11 18:15 - Updated: 2023-10-13 22:28

Details

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Impacted products

Name	purl
vantage6	pkg:pypi/vantage6

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6",
        "purl": "pkg:pypi/vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
            }
          ],
          "repo": "https://github.com/vantage6/vantage6",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.0",
        "0.0.0b0",
        "0.0.0b1",
        "0.0.0b3",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a2",
        "1.0.0b10",
        "1.0.0b11",
        "1.0.0b12",
        "1.0.0b13",
        "1.0.0b14",
        "1.0.0b2",
        "1.0.0b3",
        "1.0.0b4",
        "1.0.0b5",
        "1.0.0b6",
        "1.0.0b7",
        "1.0.0b8",
        "1.0.0b9",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.3.post2",
        "2.0.0",
        "2.0.0.post1",
        "2.0.0a1",
        "2.0.0a2",
        "2.0.0a3",
        "2.0.1rc1",
        "2.0.1rc2",
        "2.1.0",
        "2.1.0rc1",
        "2.1.1",
        "2.2.0",
        "2.2.0b1",
        "2.2.0b2",
        "2.2.0b3",
        "2.2.0b4",
        "2.2.1",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9",
        "2.3.0",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.0rc3",
        "2.3.0rc4",
        "2.3.0rc5",
        "2.3.1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.5b1",
        "3.0.0",
        "3.0.0b1",
        "3.0.0b2",
        "3.0.0b3",
        "3.0.0b4",
        "3.0.0b5",
        "3.0.0b6",
        "3.0.0b7",
        "3.0.0b8",
        "3.0.0rc1",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.1.0",
        "3.1.0rc1",
        "3.1.0rc5",
        "3.1.0rc6",
        "3.1.0rc7",
        "3.1.0rc8",
        "3.1.0rc9",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.10.0",
        "3.10.0rc1",
        "3.10.1",
        "3.10.3",
        "3.10.4",
        "3.11.0",
        "3.11.0rc1",
        "3.11.0rc2",
        "3.11.0rc3",
        "3.11.1",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc2",
        "3.2.0rc3",
        "3.2.0rc4",
        "3.2.0rc5",
        "3.3.0",
        "3.3.0a0",
        "3.3.0rc1",
        "3.3.0rc2",
        "3.3.0rc3",
        "3.3.0rc4",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.3.4",
        "3.3.5",
        "3.3.6",
        "3.3.7",
        "3.3.7a2",
        "3.3.7a3",
        "3.3.8a1",
        "3.3.8a2",
        "3.3.8a4",
        "3.3.8a5",
        "3.3.8a6",
        "3.3.8a7",
        "3.3.8a8",
        "3.4.0",
        "3.4.0a1",
        "3.4.0a2",
        "3.4.0a3",
        "3.4.0a6",
        "3.4.1",
        "3.4.1a0",
        "3.4.1a1",
        "3.4.1a2",
        "3.4.1a3",
        "3.4.2",
        "3.4.2a0",
        "3.4.3",
        "3.5.0",
        "3.5.0rc1",
        "3.5.0rc2",
        "3.5.0rc3",
        "3.5.1",
        "3.5.2",
        "3.6.0",
        "3.6.1",
        "3.6.1rc1",
        "3.6.1rc2",
        "3.6.1rc3",
        "3.7.0",
        "3.7.0rc1",
        "3.7.0rc2",
        "3.7.1",
        "3.7.2",
        "3.7.3",
        "3.8.0",
        "3.8.0rc3",
        "3.8.1",
        "3.8.2",
        "3.8.2rc1",
        "3.8.3",
        "3.8.4",
        "3.8.5",
        "3.8.6",
        "3.8.7",
        "3.8.7rc1",
        "3.8.8",
        "3.8.8rc1",
        "3.8.8rc2",
        "3.8.8rc3",
        "3.9.0",
        "3.9.0rc2",
        "3.9.0rc4",
        "4.0.0",
        "4.0.0a10",
        "4.0.0a2",
        "4.0.0a3",
        "4.0.0a4",
        "4.0.0a5",
        "4.0.0a6",
        "4.0.0a7",
        "4.0.0a8",
        "4.0.0a9",
        "4.0.1",
        "4.0.1rc2"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23930",
    "GHSA-5m22-cfq9-86x6"
  ],
  "details": "vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.",
  "id": "PYSEC-2023-196",
  "modified": "2023-10-13T22:28:56.802294+00:00",
  "published": "2023-10-11T18:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5M22-CFQ9-86X6

Vulnerability from github – Published: 2023-10-13 19:25 – Updated: 2024-11-18 23:11

Summary

Pickle serialization vulnerable to Deserialization of Untrusted Data

Details

What

We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9).

In summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue.

Solution: we should use JSON instead

Impact

All users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers.

Patches

Not yet

Workarounds

Specify JSON serialization

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.6 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-13T19:25:39Z",
    "nvd_published_at": "2023-10-11T18:15:10Z",
    "severity": "HIGH"
  },
  "details": "### What\nWe are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9). \n\nIn summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue.\n\nSolution: we should use JSON instead\n\n### Impact\nAll users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers.\n\n### Patches\nNot yet\n\n### Workarounds\nSpecify JSON serialization\n\n",
  "id": "GHSA-5m22-cfq9-86x6",
  "modified": "2024-11-18T23:11:28Z",
  "published": "2023-10-13T19:25:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-196.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pickle serialization vulnerable to Deserialization of Untrusted Data"
}

FKIE_CVE-2023-23930

Vulnerability from fkie_nvd - Published: 2023-10-11 18:15 - Updated: 2024-11-21 07:47

Severity ?

5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400	Release Notes
security-advisories@github.com	https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0	Patch
security-advisories@github.com	https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6	Vendor Advisory
security-advisories@github.com	https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9	Exploit, Permissions Required, Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9	Exploit, Permissions Required, Technical Description, Third Party Advisory

Impacted products

	Vendor	Product	Version
	vantage6	vantage6	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2D0FAD5D-F686-426B-9539-38F6F036D97B",
              "versionEndExcluding": "4.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround."
    },
    {
      "lang": "es",
      "value": "vantage6 es una infraestructura de aprendizaje federada que preserva la privacidad. Las versiones anteriores a la 4.0.0 usan pickle, que tiene problemas de seguridad conocidos, como m\u00f3dulo de serializaci\u00f3n predeterminado pero que tiene problemas de seguridad conocidos. Todos los usuarios de vantage6 que publican tareas con la serializaci\u00f3n predeterminada se ven afectados. La versi\u00f3n 4.0.0 contiene un parche. Los usuarios pueden especificar la serializaci\u00f3n JSON como workaround."
    }
  ],
  "id": "CVE-2023-23930",
  "lastModified": "2024-11-21T07:47:07.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-11T18:15:10.037",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Permissions Required",
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Permissions Required",
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-23930 (GCVE-0-2023-23930)

GSD-2023-23930

PYSEC-2023-196

GHSA-5M22-CFQ9-86X6

What

Impact

Patches

Workarounds

FKIE_CVE-2023-23930

Tags

Sightings

Nomenclature