Advisories for Pypi/Vantage6-Node package

A node does not check if an image is allowed to run if a parent_id is set. A malicious party that breaches the server may modify it to set a fake parent_id and send a task of a non-allowlisted algorithm. The node will then execute it because the parent_id that is set prevents checks from being run. Relevant node code here This impacts all servers that are breached by an …

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for example, if user id 13 …