CVE-2023-47631: vantage6-server node accepts non-allowlisted algorithms from malicious server
(updated )
A node does not check if an image is allowed to run if a parent_id is set. A malicious party that breaches the server may modify it to set a fake parent_id and send a task of a non-allowlisted algorithm. The node will then execute it because the parent_id that is set prevents checks from being run. Relevant node code here
This impacts all servers that are breached by an expert user
References
- github.com/advisories/GHSA-vc3v-ppc7-v486
- github.com/pypa/advisory-database/tree/main/vulns/vantage6-node/PYSEC-2023-303.yaml
- github.com/pypa/advisory-database/tree/main/vulns/vantage6-server/PYSEC-2023-304.yaml
- github.com/vantage6/vantage6
- github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py
- github.com/vantage6/vantage6/commit/bf83521eb12fa80aa5fc92ef1692010a9a7f8243
- github.com/vantage6/vantage6/security/advisories/GHSA-vc3v-ppc7-v486
- nvd.nist.gov/vuln/detail/CVE-2023-47631
Detect and mitigate CVE-2023-47631 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →