CVE-2023-41881

Deleting a collaboration should also delete linked resources

CVSS 3.7 LOWEPSS 0.3%CWE-200 CWE-708

In short

When a collaboration is deleted from vantage6, the linked resources like tasks aren't always removed. This could allow users in a new collaboration with the same ID to accidentally see data from the old deleted collaboration.

Technical detail

CWE-200/708: Improper resource deletion in vantage6 versions prior to 4.0.0 allows information disclosure when a collaboration is deleted but its associated resources remain; subsequent reuse of the same collaboration ID enables authenticated users to access orphaned data from the previous collaboration context.

Summary generated and translated by AI from the official description.

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

Affected products

vantage6 · vantage6

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400 https://github.com/vantage6/vantage6/pull/748 https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j6