CVE-2024-21671 — vantage6 vulnerable to username timing attack

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.

How to fix CVE-2024-21671

To remediate CVE-2024-21671, upgrade the affected package to a fixed version below.

—upgrade to 389f416c445da4f2438c72f34c3b1084485c4e30 or later
—upgrade to 4.2.0 or later

Is CVE-2024-21671 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 389f416c445da4f2438c72f34c3b1084485c4e30 | from 0, < 4.2.0
from 0, < 4.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21671
PATCHgithub.com/vantage6/vantage6
WEBgithub.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2024-31.yaml
WEBgithub.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30