vantage6@0.0.0b3 vulnerabilities

vantage6 command line interface

Direct Vulnerabilities

Known vulnerabilities in the vantage6 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Improper Access Control

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Improper Access Control in the collaboration management process. An attacker can extend their influence by adding extra organizations to their collaboration and creating new users with known passwords, allowing them to read task results of other collaborations.

How to fix Improper Access Control?

Upgrade vantage6 to version 4.5.0rc3 or higher.

[,4.5.0rc3)
  • M
Race Condition

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Race Condition via the API routes /recover/lost and /2fa/lost, which are designed to assist users in recovering lost passwords or MFA tokens. An attacker can determine the existence of specific usernames within the system by observing differences in response times or by the specific error message "Failed to login" that is returned if the username exists.

How to fix Race Condition?

Upgrade vantage6 to version 4.3.0 or higher.

[,4.3.0)
  • M
Incorrect Authorization

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Incorrect Authorization due to overly permissive CORS settings. An attacker can exploit this vulnerability by sending requests from unauthorized origins, potentially leading to unauthorized actions or data exposure.

How to fix Incorrect Authorization?

Upgrade vantage6 to version 4.3.0 or higher.

[,4.3.0)
  • L
Insecure Storage of Sensitive Information

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information due to insufficient validation of encryption settings when creating tasks in an encrypted collaboration. An attacker can inadvertently store sensitive input data unencrypted in the database by creating a task without the proper encryption setting.

How to fix Insecure Storage of Sensitive Information?

Upgrade vantage6 to version 4.2.0 or higher.

[,4.2.0)
  • M
Improper Access Control

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Improper Access Control due to insecure default SSH configurations for node and server containers. An attacker can gain unauthorized root access with password authentication by exploiting this misconfiguration.

Note:

This is only exploitable if the SSH service is exposed, which is not the case in a proper deployment.

How to fix Improper Access Control?

Upgrade vantage6 to version 4.2.0 or higher.

[,4.2.0)
  • H
Arbitrary Code Injection

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper handling of algorithm environment variables. An attacker can execute arbitrary code by injecting malicious input into these variables.

How to fix Arbitrary Code Injection?

Upgrade vantage6 to version 4.2.0 or higher.

[,4.2.0)
  • M
Deserialization of Untrusted Data

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the pickle module. An attacker can exploit known security issues by posting tasks with the default serialization.

How to fix Deserialization of Untrusted Data?

Upgrade vantage6 to version 4.0.2 or higher.

[,4.0.2)
  • L
Exposure of Sensitive Information to an Unauthorized Actor

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor when a collaboration is deleted, the linked resources such as tasks from that collaboration should also be deleted. An attacker can potentially see results of the deleted collaboration in some cases by creating a new collaboration with the same id as the deleted one. This is only exploitable if a new collaboration is created with the same id as a previously deleted collaboration.

How to fix Exposure of Sensitive Information to an Unauthorized Actor?

Upgrade vantage6 to version 4.0.0 or higher.

[,4.0.0)
  • M
Incorrect Authorization

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Incorrect Authorization through the /api/collaboration/{id}/task endpoint. An attacker can view all tasks from a certain collaboration by exploiting the lack of proper permission checks.

How to fix Incorrect Authorization?

Upgrade vantage6 to version 4.0.0 or higher.

[,4.0.0)
  • M
Incorrect Authorization

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Incorrect Authorization when the username or user id is used to define access permissions. An attacker can gain unauthorized access to resources by creating usernames with integer values. This is only exploitable if the resource name is an integer. Version 4.0.0 contains a patch for this issue.

How to fix Incorrect Authorization?

Upgrade vantage6 to version 4.0.0 or higher.

[,4.0.0)
  • M
Insufficient Session Expiration

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Insufficient Session Expiration due to missing maximum length of refresh tokens.

How to fix Insufficient Session Expiration?

Upgrade vantage6 to version 3.8.0rc3 or higher.

[,3.8.0rc3)
  • M
Improper Preservation of Permissions

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Improper Preservation of Permissions such that assigning existing users to a different organization is possible, which may lead to unintended access. If a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access information they should not be allowed to access.

How to fix Improper Preservation of Permissions?

Upgrade vantage6 to version 3.8.0rc3 or higher.

[,3.8.0rc3)
  • M
Information Exposure

vantage6 is a vantage6 command line interface

Affected versions of this package are vulnerable to Information Exposure such that, if a wrong password is entered several times, the user account is blocked temporarily. This way an attacker can find out which usernames are valid.

How to fix Information Exposure?

Upgrade vantage6 to version 3.8.0rc3 or higher.

[,3.8.0rc3)