CVE-2024-21671

EPSS 0.22%
Veröffentlicht 30.01.2024 16:15:48
Zuletzt bearbeitet 21.11.2024 08:54:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vantage6 ≫ Vantage6 Version < 4.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.446

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30

Patch

https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21671

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21671

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21671

EUVD