Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-36gx-9q6h-g429: vantage6 vulnerable to Observable Response Discrepancy

Impact

We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don’t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.

Patches

Update to 3.8.0+

Workarounds

No

References

https://github.com/vantage6/vantage6/issues/59

For more information

If you have any questions or comments about this advisory:

ghsa
Open in Source
#git

Package

pip vantage6 (pip)

Affected versions

< 3.8.0

Patched versions

3.8.0

Description

Impact

We are incorporating the password policies listed in vantage6/vantage6#59. One measure is that we don’t let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist.

Patches

Update to 3.8.0+

Workarounds

No

References

vantage6/vantage6#59

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-36gx-9q6h-g429
  • vantage6/vantage6#59
  • vantage6/vantage6#281
  • vantage6/vantage6@ab4381c

frankcorneliusmartin published to vantage6/vantage6

Feb 28, 2023

Published to the GitHub Advisory Database

Feb 28, 2023

Reviewed

Feb 28, 2023

Related news

CVE-2022-39228: Observable Response Discrepancy in vantage6

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0.

ghsa: Latest News

GHSA-j4jw-m6xr-fv6c: Soft Serve vulnerable to path traversal attacks
ghsa