Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-41881: Add flag whether linked resources should be deleted in delete endpoin… by bartvanb · Pull Request #748 · vantage6/vantage6

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.

CVE
Open in Source
#perl#auth

✅ roles (not available in the python client)

>>> client.request('role/11’, method=’delete’, params={’delete_dependents’: True}) Making request: DELETE | http://localhost:5000/api/role/11 | {’delete_dependents’: True} Starting new HTTP connection (1): localhost:5000 http://localhost:5000 “DELETE /api/role/11?delete_dependents=True HTTP/1.1” 200 42 {’msg’: 'Role removed from the database.’}

✅ task (subtasks are always deleted)

>>> client.request(‘task/8’, method=’delete’) Making request: DELETE | http://localhost:5000/api/task/8 | None Starting new HTTP connection (1): localhost:5000 http://localhost:5000 “DELETE /api/task/8 HTTP/1.1” 200 78 {’msg’: 'task id=8 and its algorithm run data have been successfully deleted’}

✅ user (not available in the python client)

>>> client.request('user/1’, method=’delete’, params={’delete_dependents’: True}) Making request: DELETE | http://localhost:5000/api/user/1 | {’delete_dependents’: True} Starting new HTTP connection (1): localhost:5000 http://localhost:5000 “DELETE /api/user/1?delete_dependents=True HTTP/1.1” 200 49 {’msg’: 'user id=1 is removed from the database’}

✅ collaboration (not available in the python client)

>>> client.request('collaboration/1’, method=’delete’, params={’delete_dependents’: True}) Making request: DELETE | http://localhost:5000/api/collaboration/1 | {’delete_dependents’: True} Starting new HTTP connection (1): localhost:5000 http://localhost:5000 “DELETE /api/collaboration/1?delete_dependents=True HTTP/1.1” 200 50 {’msg’: 'Collaboration id=1 successfully deleted’}

Related news

GHSA-rf54-7qrr-96j6: vantage6 does not properly delete linked resources when deleting a collaboration

When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases, resulting in information disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE