CVE-2024-21649 — vantage6 remote code execution vulnerability

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.

How to fix CVE-2024-21649

To remediate CVE-2024-21649, upgrade the affected package to a fixed version below.

—upgrade to 4.2.0 or later
—upgrade to eac19db737145d3ca987adf037a454fae0790ddd or later

Is CVE-2024-21649 being exploited?

Moderate — EPSS is 6.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 4.2.0
from 0, < eac19db737145d3ca987adf037a454fae0790ddd | from 0, < 4.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21649
PATCHgithub.com/vantage6/vantage6
WEBgithub.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2024-30.yaml
WEBgithub.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd