PyPI package
vantage6
pkg:pypi/vantage6
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-43863 | — | < 4.11.0 | 4.11.0 | Jun 12, 2025 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change passw | ||
| CVE-2024-32969 | Low | 2.7 | < 4.5.0rc3 | 4.5.0rc3 | May 23, 2024 | vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know t | |
| CVE-2024-23823 | — | < 4.3.0 | 4.3.0 | Mar 14, 2024 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the | ||
| CVE-2024-24770 | — | < 4.3.0 | 4.3.0 | Mar 14, 2024 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/ | ||
| CVE-2024-22193 | — | < 4.2.0 | 4.2.0 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may acci | ||
| CVE-2024-21653 | — | < 4.2.0 | 4.2.0 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH | ||
| CVE-2024-21649 | — | < 4.2.0 | 4.2.0 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. Thi | ||
| CVE-2023-41882 | — | < 4.0.0 | 4.0.0 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, | ||
| CVE-2023-41881 | — | < 4.0.0 | 4.0.0 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect th | ||
| CVE-2023-28635 | — | < 4.0.0 | 4.0.0 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which use | ||
| CVE-2023-23930 | — | < 4.0.2 | 4.0.2 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are aff | ||
| CVE-2023-23929 | — | < 3.8.0 | 3.8.0 | Mar 3, 2023 | vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | ||
| CVE-2023-22738 | — | < 3.8.0 | 3.8.0 | Mar 1, 2023 | vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, | ||
| CVE-2022-39228 | — | < 3.8.0 | 3.8.0 | Mar 1, 2023 | vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wro |
- CVE-2025-43863Jun 12, 2025affected < 4.11.0fixed 4.11.0
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change passw
- affected < 4.5.0rc3fixed 4.5.0rc3
vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know t
- CVE-2024-23823Mar 14, 2024affected < 4.3.0fixed 4.3.0
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the
- CVE-2024-24770Mar 14, 2024affected < 4.3.0fixed 4.3.0
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/
- CVE-2024-22193Jan 30, 2024affected < 4.2.0fixed 4.2.0
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may acci
- CVE-2024-21653Jan 30, 2024affected < 4.2.0fixed 4.2.0
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH
- CVE-2024-21649Jan 30, 2024affected < 4.2.0fixed 4.2.0
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. Thi
- CVE-2023-41882Oct 11, 2023affected < 4.0.0fixed 4.0.0
vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However,
- CVE-2023-41881Oct 11, 2023affected < 4.0.0fixed 4.0.0
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect th
- CVE-2023-28635Oct 11, 2023affected < 4.0.0fixed 4.0.0
vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which use
- CVE-2023-23930Oct 11, 2023affected < 4.0.2fixed 4.0.2
vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are aff
- CVE-2023-23929Mar 3, 2023affected < 3.8.0fixed 3.8.0
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0.
- CVE-2023-22738Mar 1, 2023affected < 3.8.0fixed 3.8.0
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B,
- CVE-2022-39228Mar 1, 2023affected < 3.8.0fixed 3.8.0
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wro