Vulnerability-Lookup

CVE-2024-21671 (GCVE-0-2024-21671)

Vulnerability from cvelistv5 – Published: 2024-01-30 15:43 – Updated: 2024-10-17 18:01

Title

vantage6 username timing attack

Summary

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.

Severity

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/vantage6/vantage6/security/adv…	x_refsource_CONFIRM
https://github.com/vantage6/vantage6/commit/389f4…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
vantage6	vantage6	Affected: < 4.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:27:36.036Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
          },
          {
            "name": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21671",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-31T15:22:33.541155Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T18:01:07.740Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vantage6",
          "vendor": "vantage6",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-30T15:43:06.789Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
        },
        {
          "name": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
        }
      ],
      "source": {
        "advisory": "GHSA-45gq-q4xh-cp53",
        "discovery": "UNKNOWN"
      },
      "title": "vantage6 username timing attack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-21671",
    "datePublished": "2024-01-30T15:43:06.789Z",
    "dateReserved": "2023-12-29T16:10:20.368Z",
    "dateUpdated": "2024-10-17T18:01:07.740Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-21671",
      "date": "2026-05-28",
      "epss": "0.0022",
      "percentile": "0.44602"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.2.0\", \"matchCriteriaId\": \"A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"La tecnolog\\u00eda vantage6 permite gestionar e implementar tecnolog\\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Es posible averiguar los nombres de usuario a partir del tiempo de respuesta de las solicitudes de inicio de sesi\\u00f3n. Esto podr\\u00eda ayudar a los atacantes en ataques de credenciales. La versi\\u00f3n 4.2.0 parchea esta vulnerabilidad.\"}]",
      "id": "CVE-2024-21671",
      "lastModified": "2024-11-21T08:54:50.357",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 3.7, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 1.4}]}",
      "published": "2024-01-30T16:15:48.090",
      "references": "[{\"url\": \"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-208\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-21671\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-01-30T16:15:48.090\",\"lastModified\":\"2024-11-21T08:54:50.357\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.\"},{\"lang\":\"es\",\"value\":\"La tecnolog\u00eda vantage6 permite gestionar e implementar tecnolog\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Es posible averiguar los nombres de usuario a partir del tiempo de respuesta de las solicitudes de inicio de sesi\u00f3n. Esto podr\u00eda ayudar a los atacantes en ataques de credenciales. La versi\u00f3n 4.2.0 parchea esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-208\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.2.0\",\"matchCriteriaId\":\"A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4\"}]}]}],\"references\":[{\"url\":\"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\", \"name\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\", \"name\": \"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T22:27:36.036Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-21671\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-31T15:22:33.541155Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-17T18:01:02.787Z\"}}], \"cna\": {\"title\": \"vantage6 username timing attack\", \"source\": {\"advisory\": \"GHSA-45gq-q4xh-cp53\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"vantage6\", \"product\": \"vantage6\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\", \"name\": \"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\", \"name\": \"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-01-30T15:43:06.789Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-21671\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-17T18:01:07.740Z\", \"dateReserved\": \"2023-12-29T16:10:20.368Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-01-30T15:43:06.789Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2024-07864

Vulnerability from cnvd - Published: 2024-02-06

Title

vantage6存在未明漏洞（CNVD-2024-07864）

Description

vantage6是vantage6开源的一个用于Secure Insight eXchange的开源priVAcy preserviNg federalTed leArningG基础架构。 vantage6 4.2.0版本之前存在安全漏洞，该漏洞源于可以从登录请求的响应时间找出用户名。目前没有详细的漏洞细节提供。

Severity

低

Patch Name

vantage6存在未明漏洞（CNVD-2024-07864）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-216713

Impacted products

Name
vantage6 vantage6 <4.2.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-21671",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-21671"
    }
  },
  "description": "vantage6\u662fvantage6\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8eSecure Insight eXchange\u7684\u5f00\u6e90priVAcy preserviNg federalTed leArningG\u57fa\u7840\u67b6\u6784\u3002\n\nvantage6 4.2.0\u7248\u672c\u4e4b\u524d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53ef\u4ee5\u4ece\u767b\u5f55\u8bf7\u6c42\u7684\u54cd\u5e94\u65f6\u95f4\u627e\u51fa\u7528\u6237\u540d\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-07864",
  "openTime": "2024-02-06",
  "patchDescription": "vantage6\u662fvantage6\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8eSecure Insight eXchange\u7684\u5f00\u6e90priVAcy preserviNg federalTed leArningG\u57fa\u7840\u67b6\u6784\u3002\r\n\r\nvantage6 4.2.0\u7248\u672c\u4e4b\u524d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53ef\u4ee5\u4ece\u767b\u5f55\u8bf7\u6c42\u7684\u54cd\u5e94\u65f6\u95f4\u627e\u51fa\u7528\u6237\u540d\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "vantage6\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-07864\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "vantage6 vantage6 \u003c4.2.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-216713",
  "serverity": "\u4f4e",
  "submitTime": "2024-02-04",
  "title": "vantage6\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-07864\uff09"
}

FKIE_CVE-2024-21671

Vulnerability from fkie_nvd - Published: 2024-01-30 16:15 - Updated: 2024-11-21 08:54

Severity

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30	Patch
security-advisories@github.com	https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53	Vendor Advisory

Impacted products

	Vendor	Product	Version
	vantage6	vantage6	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4",
              "versionEndExcluding": "4.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability."
    },
    {
      "lang": "es",
      "value": "La tecnolog\u00eda vantage6 permite gestionar e implementar tecnolog\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Es posible averiguar los nombres de usuario a partir del tiempo de respuesta de las solicitudes de inicio de sesi\u00f3n. Esto podr\u00eda ayudar a los atacantes en ataques de credenciales. La versi\u00f3n 4.2.0 parchea esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-21671",
  "lastModified": "2024-11-21T08:54:50.357",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-01-30T16:15:48.090",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-208"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-45GQ-Q4XH-CP53

Vulnerability from github – Published: 2024-01-30 20:56 – Updated: 2024-02-08 22:48

Summary

vantage6 vulnerable to username timing attack

Details

Impact

It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks

Workarounds

Severity

3.7 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T20:56:48Z",
    "nvd_published_at": "2024-01-30T16:15:48Z",
    "severity": "LOW"
  },
  "details": "### Impact\nIt is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks\n\n### Workarounds\nNo\n",
  "id": "GHSA-45gq-q4xh-cp53",
  "modified": "2024-02-08T22:48:56Z",
  "published": "2024-01-30T20:56:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2024-31.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vantage6 vulnerable to username timing attack"
}

GSD-2024-21671

Vulnerability from gsd - Updated: 2023-12-30 06:02

Details

Aliases

CVE-2024-21671

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-21671"
      ],
      "details": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.",
      "id": "GSD-2024-21671",
      "modified": "2023-12-30T06:02:17.623063Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-21671",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vantage6",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.2.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vantage6"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-208",
                "lang": "eng",
                "value": "CWE-208: Observable Timing Discrepancy"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
          },
          {
            "name": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30",
            "refsource": "MISC",
            "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-45gq-q4xh-cp53",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4",
                    "versionEndExcluding": "4.2.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability."
          },
          {
            "lang": "es",
            "value": "La tecnolog\u00eda vantage6 permite gestionar e implementar tecnolog\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Es posible averiguar los nombres de usuario a partir del tiempo de respuesta de las solicitudes de inicio de sesi\u00f3n. Esto podr\u00eda ayudar a los atacantes en ataques de credenciales. La versi\u00f3n 4.2.0 parchea esta vulnerabilidad."
          }
        ],
        "id": "CVE-2024-21671",
        "lastModified": "2024-02-08T16:42:41.923",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-01-30T16:15:48.090",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-203"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-208"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

PYSEC-2024-31

Vulnerability from pysec - Published: 2024-01-30 16:15 - Updated: 2024-02-08 18:22

Details

Severity

3.7 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Impacted products

Name	purl
vantage6	pkg:pypi/vantage6

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6",
        "purl": "pkg:pypi/vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "389f416c445da4f2438c72f34c3b1084485c4e30"
            }
          ],
          "repo": "https://github.com/vantage6/vantage6",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.0",
        "0.0.0b0",
        "0.0.0b1",
        "0.0.0b3",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a2",
        "1.0.0b10",
        "1.0.0b11",
        "1.0.0b12",
        "1.0.0b13",
        "1.0.0b14",
        "1.0.0b2",
        "1.0.0b3",
        "1.0.0b4",
        "1.0.0b5",
        "1.0.0b6",
        "1.0.0b7",
        "1.0.0b8",
        "1.0.0b9",
        "1.1.0",
        "1.1.0rc1",
        "1.1.0rc2",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.3.post2",
        "2.0.0",
        "2.0.0.post1",
        "2.0.0a1",
        "2.0.0a2",
        "2.0.0a3",
        "2.0.1rc1",
        "2.0.1rc2",
        "2.1.0",
        "2.1.0rc1",
        "2.1.1",
        "2.2.0",
        "2.2.0b1",
        "2.2.0b2",
        "2.2.0b3",
        "2.2.0b4",
        "2.2.1",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9",
        "2.3.0",
        "2.3.0rc1",
        "2.3.0rc2",
        "2.3.0rc3",
        "2.3.0rc4",
        "2.3.0rc5",
        "2.3.1",
        "2.3.2",
        "2.3.2rc1",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.5b1",
        "3.0.0",
        "3.0.0b1",
        "3.0.0b2",
        "3.0.0b3",
        "3.0.0b4",
        "3.0.0b5",
        "3.0.0b6",
        "3.0.0b7",
        "3.0.0b8",
        "3.0.0rc1",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.1.0",
        "3.1.0rc1",
        "3.1.0rc5",
        "3.1.0rc6",
        "3.1.0rc7",
        "3.1.0rc8",
        "3.1.0rc9",
        "3.1.1rc1",
        "3.1.1rc2",
        "3.10.0",
        "3.10.0rc1",
        "3.10.1",
        "3.10.3",
        "3.10.4",
        "3.11.0",
        "3.11.0rc1",
        "3.11.0rc2",
        "3.11.0rc3",
        "3.11.1",
        "3.2.0",
        "3.2.0rc1",
        "3.2.0rc2",
        "3.2.0rc3",
        "3.2.0rc4",
        "3.2.0rc5",
        "3.3.0",
        "3.3.0a0",
        "3.3.0rc1",
        "3.3.0rc2",
        "3.3.0rc3",
        "3.3.0rc4",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.3.4",
        "3.3.5",
        "3.3.6",
        "3.3.7",
        "3.3.7a2",
        "3.3.7a3",
        "3.3.8a1",
        "3.3.8a2",
        "3.3.8a4",
        "3.3.8a5",
        "3.3.8a6",
        "3.3.8a7",
        "3.3.8a8",
        "3.4.0",
        "3.4.0a1",
        "3.4.0a2",
        "3.4.0a3",
        "3.4.0a6",
        "3.4.1",
        "3.4.1a0",
        "3.4.1a1",
        "3.4.1a2",
        "3.4.1a3",
        "3.4.2",
        "3.4.2a0",
        "3.4.3",
        "3.5.0",
        "3.5.0rc1",
        "3.5.0rc2",
        "3.5.0rc3",
        "3.5.1",
        "3.5.2",
        "3.6.0",
        "3.6.1",
        "3.6.1rc1",
        "3.6.1rc2",
        "3.6.1rc3",
        "3.7.0",
        "3.7.0rc1",
        "3.7.0rc2",
        "3.7.1",
        "3.7.2",
        "3.7.3",
        "3.8.0",
        "3.8.0rc3",
        "3.8.1",
        "3.8.2",
        "3.8.2rc1",
        "3.8.3",
        "3.8.4",
        "3.8.5",
        "3.8.6",
        "3.8.7",
        "3.8.7rc1",
        "3.8.8",
        "3.8.8rc1",
        "3.8.8rc2",
        "3.8.8rc3",
        "3.9.0",
        "3.9.0rc2",
        "3.9.0rc4",
        "4.0.0",
        "4.0.0a10",
        "4.0.0a2",
        "4.0.0a3",
        "4.0.0a4",
        "4.0.0a5",
        "4.0.0a6",
        "4.0.0a7",
        "4.0.0a8",
        "4.0.0a9",
        "4.0.1",
        "4.0.1rc2",
        "4.0.2",
        "4.0.3",
        "4.1.0",
        "4.1.0b0",
        "4.1.0b1",
        "4.1.0rc0",
        "4.1.1",
        "4.1.2",
        "4.1.3",
        "4.2.0rc1",
        "4.2.0rc2"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21671",
    "GHSA-45gq-q4xh-cp53"
  ],
  "details": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.",
  "id": "PYSEC-2024-31",
  "modified": "2024-02-08T18:22:28.276390+00:00",
  "published": "2024-01-30T16:15:00+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-21671 (GCVE-0-2024-21671)

CNVD-2024-07864

FKIE_CVE-2024-21671

GHSA-45GQ-Q4XH-CP53

Impact

Workarounds

GSD-2024-21671

PYSEC-2024-31

Tags

Sightings

Nomenclature