CVE-2024-22193

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.

How to fix CVE-2024-22193

To remediate CVE-2024-22193, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.0 or later
• —upgrade to 6383283733b81abfcacfec7538dc4dc882e98074 or later

Is CVE-2024-22193 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4.2.0
• from 0, < 6383283733b81abfcacfec7538dc4dc882e98074 | from 0, < 4.2.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-22193
• PATCHgithub.com/vantage6/vantage6
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2024-32.yaml
• WEBgithub.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074