CVE-2024-21671

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30	Patch
https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*

History

08 Feb 2024, 16:42

Type	Values Removed	Values Added
First Time		Vantage6 vantage6 Vantage6
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 3.7
References	~~() https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30 -~~	() https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30 - Patch
References	~~() https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53 -~~	() https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53 - Vendor Advisory
CWE	~~CWE-208~~	CWE-203
CPE		cpe:2.3:a:vantage6:vantage6::::::::

30 Jan 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-30 16:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-21671

Mitre link : CVE-2024-21671

CVE.ORG link : CVE-2024-21671

JSON object : View

Products Affected

vantage6

vantage6

CWE

CWE-203

Observable Discrepancy

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2024-21671", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2024-01-30T16:15:48.090", "references": [{"url": "https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability."}, {"lang": "es", "value": "La tecnolog\u00eda vantage6 permite gestionar e implementar tecnolog\u00edas que mejoran la privacidad, como el Federated Learning (FL) y la Multi-Party Computation (MPC). Es posible averiguar los nombres de usuario a partir del tiempo de respuesta de las solicitudes de inicio de sesi\u00f3n. Esto podr\u00eda ayudar a los atacantes en ataques de credenciales. La versi\u00f3n 4.2.0 parchea esta vulnerabilidad."}], "lastModified": "2024-02-08T16:42:41.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vantage6:vantage6:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9E3A3A7-C004-4E76-B2A3-46F0F1C68AD4", "versionEndExcluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}