vantage6 Node accepts non-whitelisted algorithms from malicious server
CVE-2023-47631

8.8HIGH

Key Information:

Vendor

vantage6

Status
vantage6
Vendor
CVE Published:
14 November 2023

What is CVE-2023-47631?

A vulnerability exists in the Vantage6 framework that allows unauthorized execution of tasks. If a malicious actor compromises a server, they can exploit the lack of validation on the 'parent_id' parameter. This vulnerability enables attackers to run non-whitelisted algorithms since the node neglects to conduct necessary checks when the 'parent_id' is compromised. As a result, every server breached by a skilled attacker is at risk. Users are strongly advised to upgrade to version 4.1.2 to mitigate this risk.

Affected Version(s)

vantage6 < 4.1.2

References

https://github.com/vantage6/vantage6/security/advisories/...
x_refsource_CONFIRM
https://github.com/vantage6/vantage6/commit/bf83521eb12fa...
x_refsource_MISC
https://github.com/vantage6/vantage6/blob/version/4.1.1/v...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.