CVE-2024-21649

Improper Control of Generation of Code ('Code Injection') in pypi/vantage6

Identifiers

GHSA-w9h2-px87-74vx, CVE-2024-21649

Package Slug

pypi/vantage6

Vulnerability

Improper Control of Generation of Code ('Code Injection')

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.

Affected Versions

All versions before 4.2.0

Solution

Upgrade to version 4.2.0 or above.

Last Modified

2024-01-31

source