CVE-2023-23930 MEDIUM

CVE-2023-23930: vantage6's Pickle serialization is insecure

Vendor Vantage6
Product vantage6
Weakness CWE-502 · Unsafe deserialization
Published October 11, 2023
Last update September 18, 2024
View on NVD All CVEs

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.

Key dates

02Disclosure timeline

October 11, 2023 CVE published
September 18, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-32742 Untrusted data fed into `Data.init(base32Encoded:)` can result in exposing server memory and/or crash CVE-2022-2436 Download Manager <= 3.2.49 - Authenticated (Contributor+) PHAR Deserialization CVE-2025-52826 WordPress Sala theme <= 1.1.3 - PHP Object Injection Vulnerability CVE-2024-36984 Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows CVE-2025-43850 GHSL-2025-020_Retrieval-based-Voice-Conversion-WebUI