GHSA-vc3v-ppc7-v486

Source

https://github.com/advisories/GHSA-vc3v-ppc7-v486

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vc3v-ppc7-v486/GHSA-vc3v-ppc7-v486.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vc3v-ppc7-v486

Aliases

CVE-2023-47631

Published

2023-11-14T22:21:57Z

Modified

2024-02-16T08:12:10.798174Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

vantage6-server node accepts non-whitelisted algorithms from malicious server

Details

Impact

A node does not check if an image is allowed to run if a parent_id is set. A malicious party that breaches the server may modify it to set a fake parent_id and send a task of a non-whitelisted algorithm. The node will then execute it because the parent_id that is set prevents checks from being run. Relevant node code here

This impacts all servers that are breached by an expert user

Patches

Fixed in v4.1.2

Workarounds

None

References

Affected packages

PyPI / vantage6-server

Package

Name: vantage6-server; View open source insights on deps.dev
Purl: pkg:pypi/vantage6-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.2

Affected versions

0.*

0.0.0b0

0.0.0b1

0.0.0b3

0.0.0

1.*

1.0.0b2

1.0.0b3

1.0.0b4

1.0.0b5

1.0.0b6

1.0.0b7

1.0.0b8

1.0.0b9

1.0.0b11

1.0.0b12

1.0.0b13

1.0.0b14

1.0.0

1.0.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.3.post1

2.*

2.0.0a1

2.0.0a2

2.0.0a3

2.0.0

2.0.0.post1

2.0.1rc1

2.0.1rc2

2.1.0rc1

2.1.0

2.1.1

2.1.2

2.1.3b1

2.1.3b2

2.1.3b3

2.1.3b4

2.2.0b1

2.2.0b2

2.2.0b3

2.2.0b4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.3.0rc1

2.3.0rc2

2.3.0rc3

2.3.0rc4

2.3.0rc5

2.3.0

2.3.1

2.3.2rc1

2.3.2

2.3.3

2.3.4

2.3.5b1

2.3.5

3.*

3.0.0b1

3.0.0b3

3.0.0b4

3.0.0b5

3.0.0b6

3.0.0b7

3.0.0b8

3.0.0rc1

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0rc1

3.1.0rc5

3.1.0rc6

3.1.0rc7

3.1.0rc8

3.1.0rc9

3.1.0

3.1.1rc1

3.1.1rc2

3.2.0rc1

3.2.0rc2

3.2.0rc3

3.2.0rc4

3.2.0rc5

3.2.0

3.3.0a0

3.3.0rc1

3.3.0rc2

3.3.0rc3

3.3.0rc4

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7a2

3.3.7a3

3.3.7

3.3.8a1

3.3.8a2

3.3.8a4

3.3.8a5

3.3.8a6

3.3.8a7

3.3.8a8

3.4.0a1

3.4.0a2

3.4.0a3

3.4.0a6

3.4.0

3.4.1a0

3.4.1a1

3.4.1a2

3.4.1a3

3.4.1

3.4.2a0

3.4.2

3.4.3

3.5.0rc1

3.5.0rc2

3.5.0rc3

3.5.0

3.5.1

3.5.2

3.6.0

3.6.1rc1

3.6.1rc2

3.6.1rc3

3.6.1

3.7.0rc1

3.7.0rc2

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0rc3

3.8.0

3.8.1

3.8.2rc1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7rc1

3.8.7

3.8.8rc1

3.8.8rc2

3.8.8rc3

3.8.8

3.9.0rc2

3.9.0rc4

3.9.0

3.10.0rc1

3.10.0

3.10.1

3.10.3

3.10.4

3.11.0rc1

3.11.0rc2

3.11.0rc3

3.11.0

3.11.1

4.*

4.0.0a2

4.0.0a3

4.0.0a4

4.0.0a5

4.0.0a6

4.0.0a7

4.0.0a8

4.0.0a9

4.0.0a10

4.0.0

4.0.1rc2

4.0.1

4.0.2

4.0.3

4.1.0b0

4.1.0b1

4.1.0rc0

4.1.0

4.1.1