CVE-2023-28635

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28635

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28635.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28635

Aliases

Published

2023-10-11T20:15:09Z

Modified

2024-10-12T10:49:34.143722Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 is allowed to run tasks, and an attacker creates a username with username '13', they would be wrongly allowed to run an algorithm. There may also be other places in the code where such a mixup of resource ID or name leads to issues. Version 4.0.0 contains a patch for this issue. The best solution is to check when resources are created or modified, that the resource name always starts with a character.

References

Affected packages

Git / github.com/vantage6/vantage6

Affected ranges

Type: GIT
Repo: https://github.com/vantage6/vantage6
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7948b4b29f203df3b87f2f2a65bb44ee3e58433b

Affected versions

v0.*

v0.0.0

v3.*

v3.4.0

v3.4.0a2

v3.4.0a3

v3.4.0a4

v3.4.0a6

v3.4.1

v3.4.1a0

v3.4.1a1

v3.4.1a2

v3.4.1a3

v3.4.2

v3.4.2a0

v3.4.3

v3.5.0

v3.5.0rc1

v3.5.0rc2

v3.5.0rc3

v3.5.1

v3.5.2

v3.6.1

v3.6.1rc1

v3.6.1rc2

v3.6.1rc3

v3.7.0

v3.7.0rc1

v3.7.0rc2

v3.7.1

v3.7.2

v3.7.3

v3.8.0

v3.8.0rc2

v3.8.0rc3

v3.8.1

v3.8.2

v3.8.2rc1

version/0.*

version/0.0.0

version/0.0.0b3

version/3.*

version/3.10.0

version/3.10.0rc1

version/3.10.1

version/3.10.2

version/3.10.3

version/3.10.4

version/3.11.0

version/3.11.0rc1

version/3.11.0rc2

version/3.11.0rc3

version/3.11.1

version/3.3.0

version/3.3.0rc1

version/3.3.0rc2

version/3.3.0rc3

version/3.3.0rc4

version/3.3.1

version/3.3.2

version/3.3.3

version/3.3.4

version/3.3.5

version/3.3.6

version/3.3.7

version/3.3.8a1

version/3.3.8a2

version/3.3.8a3

version/3.3.8a4

version/3.3.8a5

version/3.3.8a6

version/3.3.8a7

version/3.3.8a8

version/3.3.8a9

version/3.4.0

version/3.4.0a0

version/3.4.0a1

version/3.4.0a2

version/3.4.0a3

version/3.4.0a4

version/3.4.0a5

version/3.4.0a6

version/3.4.1

version/3.4.1a0

version/3.4.1a1

version/3.4.1a2

version/3.4.1a3

version/3.4.2

version/3.4.2a0

version/3.4.3

version/3.5.0

version/3.5.0rc1

version/3.5.0rc2

version/3.5.0rc3

version/3.5.1

version/3.5.2

version/3.6.1

version/3.6.1rc1

version/3.6.1rc2

version/3.6.1rc3

version/3.7.0

version/3.7.0rc1

version/3.7.0rc2

version/3.7.1

version/3.7.2

version/3.7.3

version/3.8.0

version/3.8.0rc1

version/3.8.0rc2

version/3.8.0rc3

version/3.8.1

version/3.8.2

version/3.8.2rc1

version/3.8.3

version/3.8.4

version/3.8.5

version/3.8.6

version/3.8.7

version/3.8.7rc1

version/3.8.8

version/3.8.8rc1

version/3.8.8rc2

version/3.8.8rc3

version/3.9.0

version/3.9.0rc1

version/3.9.0rc2

version/3.9.0rc3

version/3.9.0rc4

version/4.*

version/4.0.0a1

version/4.0.0a10

version/4.0.0a2

version/4.0.0a3

version/4.0.0a4

version/4.0.0a5

version/4.0.0a6

version/4.0.0a7

version/4.0.0a8

version/4.0.0a9