CVE-2022-39228 MEDIUM

CVE-2022-39228: Observable Response Discrepancy in vantage6

Vendor Vantage6
Product vantage6
Weakness CWE-204
Published March 1, 2023
Last update March 7, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0.

Key dates

02Disclosure timeline

March 1, 2023 CVE published
March 7, 2025 Record updated