CVE-2024-23823 MEDIUM

CVE-2024-23823: CORS settings overly permissive in vantage6

Vendor Vantage6
Product vantage6
Weakness CWE-942
Published March 14, 2024
Last update August 1, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

March 14, 2024 CVE published
August 1, 2024 Record updated