CVE-2023-47631
HIGH7.2EPSS 0.33%vantage6-server node accepts non-whitelisted algorithms from malicious server
Published: 11/14/2023Modified: 11/22/2024
Description
### Impact A node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. Relevant node code [here](https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268) This impacts all servers that are breached by an expert user ### Patches Fixed in v4.1.2 ### Workarounds None
Affected packages (4)
- PyPI/vantage6-nodefrom 0, < 4.1.2
- PyPI/vantage6-nodefrom 0, < bf83521eb12fa80aa5fc92ef1692010a9a7f8243 | from 0, < 4.1.2
- PyPI/vantage6-serverfrom 0, < 4.1.2
- PyPI/vantage6-serverfrom 0, < bf83521eb12fa80aa5fc92ef1692010a9a7f8243 | from 0, < 4.1.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-47631
- PATCHhttps://github.com/vantage6/vantage6
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/vantage6-node/PYSEC-2023-303.yaml
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/vantage6-server/PYSEC-2023-304.yaml
- WEBhttps://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268
- WEBhttps://github.com/vantage6/vantage6/commit/bf83521eb12fa80aa5fc92ef1692010a9a7f8243
- WEBhttps://github.com/vantage6/vantage6/security/advisories/GHSA-vc3v-ppc7-v486