{"url":"http://public2.vulnerablecode.io/api/packages/39206?format=json","purl":"pkg:pypi/vantage6@4.1.3","type":"pypi","namespace":"","name":"vantage6","version":"4.1.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.11.0","latest_non_vulnerable_version":"4.11.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37080?format=json","vulnerability_id":"VCID-cc7t-us5t-ffbb","summary":"vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.","references":[{"reference_url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-j6g5-p62x-58hw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-j6g5-p62x-58hw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45412?format=json","purl":"pkg:pypi/vantage6@4.11.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vantage6@4.11.0"}],"aliases":["CVE-2025-43863","GHSA-j6g5-p62x-58hw","PYSEC-2025-220"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cc7t-us5t-ffbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36707?format=json","vulnerability_id":"VCID-hdj5-dmqq-cqdp","summary":"The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).  It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks.  Version 4.2.0 patches this vulnerability.","references":[{"reference_url":"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30"},{"reference_url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21671","reference_id":"CVE-2024-21671","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21671"},{"reference_url":"https://github.com/advisories/GHSA-45gq-q4xh-cp53","reference_id":"GHSA-45gq-q4xh-cp53","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-45gq-q4xh-cp53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39209?format=json","purl":"pkg:pypi/vantage6@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cc7t-us5t-ffbb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vantage6@4.2.0"}],"aliases":["CVE-2024-21671","GHSA-45gq-q4xh-cp53","PYSEC-2024-31"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hdj5-dmqq-cqdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36708?format=json","vulnerability_id":"VCID-sgwu-s2e9-7qbp","summary":"The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution.  This vulnerability is patched in 4.2.0.","references":[{"reference_url":"https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd"},{"reference_url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21649","reference_id":"CVE-2024-21649","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21649"},{"reference_url":"https://github.com/advisories/GHSA-w9h2-px87-74vx","reference_id":"GHSA-w9h2-px87-74vx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w9h2-px87-74vx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39209?format=json","purl":"pkg:pypi/vantage6@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cc7t-us5t-ffbb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vantage6@4.2.0"}],"aliases":["CVE-2024-21649","GHSA-w9h2-px87-74vx","PYSEC-2024-30"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sgwu-s2e9-7qbp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36709?format=json","vulnerability_id":"VCID-tjnd-7tza-1fay","summary":"The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database.  Users should ensure they set the encryption setting correctly.  This vulnerability is patched in 4.2.0.","references":[{"reference_url":"https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://github.com/vantage6/vantage6/commit/6383283733b81abfcacfec7538dc4dc882e98074"},{"reference_url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-rjmv-52mp-gjrr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22193","reference_id":"CVE-2024-22193","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22193"},{"reference_url":"https://github.com/advisories/GHSA-rjmv-52mp-gjrr","reference_id":"GHSA-rjmv-52mp-gjrr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rjmv-52mp-gjrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39209?format=json","purl":"pkg:pypi/vantage6@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cc7t-us5t-ffbb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vantage6@4.2.0"}],"aliases":["CVE-2024-22193","GHSA-rjmv-52mp-gjrr","PYSEC-2024-32"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tjnd-7tza-1fay"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/vantage6@4.1.3"}