CVE-2024-21671: Observable Timing Discrepancy

January 30, 2024

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this vulnerability.

References

github.com/advisories/GHSA-45gq-q4xh-cp53
github.com/vantage6/vantage6/commit/389f416c445da4f2438c72f34c3b1084485c4e30
github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53
nvd.nist.gov/vuln/detail/CVE-2024-21671

Detect and mitigate CVE-2024-21671 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →