Headline
GHSA-rf54-7qrr-96j6: vantage6 does not properly delete linked resources when deleting a collaboration
When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted.
This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases, resulting in information disclosure.
Package
pip vantage6 (pip)
Affected versions
< 4.0.0
Patched versions
4.0.0
Description
When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted.
This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases, resulting in information disclosure.
References
- GHSA-rf54-7qrr-96j6
- https://nvd.nist.gov/vuln/detail/CVE-2023-41881
- vantage6/vantage6#748
- https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
frankcorneliusmartin published to vantage6/vantage6
Oct 11, 2023
Published to the GitHub Advisory Database
Oct 16, 2023
Reviewed
Oct 16, 2023
Last updated
Oct 16, 2023
Related news
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect that affects versions prior to 4.0.0, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases. Version 4.0.0 contains a patch for this issue. There are no known workarounds.