VYPR
← All advisories
Low severityNVD Advisory· Published Jan 30, 2024· Updated Jun 17, 2025

vantage6 unencrypted task can be created in encrypted collaboration

CVE-2024-22193

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vantage6PyPI
< 4.2.04.2.0

Affected products

1

Patches

1
6383283733b8

Merge pull request from GHSA-rjmv-52mp-gjrr

https://github.com/vantage6/vantage6Bart van BeusekomJan 18, 2024via ghsa
commit
1 file changed · +63 3
  • vantage6-server/vantage6/server/resource/task.py+63 3 modified
    @@ -11,6 +11,7 @@
 
 from vantage6.common.globals import STRING_ENCODING
 from vantage6.common.task_status import TaskStatus, has_task_finished
+from vantage6.common.encryption import DummyCryptor
 from vantage6.server import db
 from vantage6.server.permission import (
     RuleCollection,
@@ -490,6 +491,7 @@ def post(self):
         """
         return self.post_task(request.get_json(), self.socketio, self.r)
 
+    # TODO this function should be refactored to make it more readable
     @staticmethod
     def post_task(data: dict, socketio: SocketIO, rules: RuleCollection):
         """
@@ -562,10 +564,8 @@ def post_task(data: dict, socketio: SocketIO, rules: RuleCollection):
                        "you are participating in!"
             }, HTTPStatus.UNAUTHORIZED
 
-        # Create the new task in the database
-        image = data.get('image', '')
-
         # verify permissions
+        image = data.get('image', '')
         if g.user and not rules.can_for_col(P.CREATE, collaboration.id):
             return {'msg': 'You lack the permission to do that!'}, \
                 HTTPStatus.UNAUTHORIZED
@@ -577,6 +577,17 @@ def post_task(data: dict, socketio: SocketIO, rules: RuleCollection):
                 return {"msg": "Container-token is not valid"}, \
                     HTTPStatus.UNAUTHORIZED
 
+        # check that the input is valid. If the collaboration is encrypted, it
+        # should not be possible to read the input, and we should not save it
+        # to the database as it may be sensitive information. Vice versa, if
+        # the collaboration is not encrypted, we should not allow the user to
+        # send encrypted input.
+        is_valid_input, error_msg = Tasks._check_input_encryption(
+            organizations_json_list, collaboration
+        )
+        if not is_valid_input:
+            return {"msg": error_msg}, HTTPStatus.BAD_REQUEST
+
         # permissions ok, create task record and TaskDatabase records
         task = db.Task(collaboration=collaboration, name=data.get('name', ''),
                        description=data.get('description', ''), image=image,
@@ -740,6 +751,55 @@ def _node_doesnt_allow_user_task(
                         return False
         return has_limitations
 
+    @staticmethod
+    def _check_input_encryption(
+        organizations_json_list: list[dict], collaboration: db.Collaboration
+    ) -> tuple[bool, str]:
+        """
+        Check if the input encryption status matches the expected status for
+        the collaboration. Also, check that if the input is not encrypted, it
+        can be read as a string.
+
+        Parameters
+        ----------
+        organizations_json_list : list[dict]
+            List of organizations which contains the input per organization.
+        collaboration : db.Collaboration
+            Collaboration object.
+
+        Returns
+        -------
+        bool
+            True if the input is encrypted.
+        str
+            Error message if the input is valid.
+        """
+        dummy_cryptor = DummyCryptor()
+        for org in organizations_json_list:
+            input_ = org.get('input')
+            decrypted_input = dummy_cryptor.decrypt_str_to_bytes(input_)
+            is_input_readable = False
+            try:
+                decrypted_input.decode(STRING_ENCODING)
+                is_input_readable = True
+            except UnicodeDecodeError:
+                pass
+
+            if collaboration.encrypted and is_input_readable:
+                return False,  (
+                    "Your collaboration requires encryption, but input is not "
+                    "encrypted! Please encrypt your input before sending it."
+                ),
+            elif not collaboration.encrypted and not is_input_readable:
+                return False, (
+                    "Your task's input cannot be parsed. Your input should be "
+                    "a base64 encoded JSON string. Note that if you are using "
+                    "the user interface or Python client, this should be done "
+                    "for you. Also, make sure not to encrypt your input, "
+                    "as your collaboration is set to not use encryption."
+                )
+        return True, ''
+
 
 class Task(TaskBase):
     """Resource for /api/task"""

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.