CVE-2023-41881
vantage6 does not properly delete linked resources when deleting a collaboration
Description
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.
How to fix CVE-2023-41881
To remediate CVE-2023-41881, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.0 or later
- —upgrade to 4.0.0 or later
Is CVE-2023-41881 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.0.0
- from 0, < 4.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N |