漏洞标题
vantage6 为节点和服务器容器提供了不安全的SSH配置
漏洞描述信息
The vantage6 technology is capable of managing and deploying privacy-enhancing technologies like federated learning (FL) and multi-party computation (MPC). By default, nodes and servers have an SSH configuration that allows root login with password authentication. However, in a proper deployment, the SSH service should not be exposed to the public, which means there is no risk of vulnerability. However, not all deployments are ideal, so it's important to ensure that the default setting is less permissive. This can help mitigate any potential vulnerabilities.
To patch this vulnerability, you can remove the SSH part from the Dockerfile and rebuild the Docker image. Alternatively, version 4.2.0 of vantage6 contains a patch for this vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
认证机制不恰当
漏洞标题
vantage6 insecure SSH configuration for node and server containers
漏洞描述信息
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
漏洞类别
访问控制不恰当
漏洞标题
vantage6 访问控制错误漏洞
漏洞描述信息
vantage6是vantage6开源的一个用于 Secure Insight eXchange 的开源 priVAcy preserviNg federalTed leArningG 基础架构。 vantage6 4.2.0 版本之前存在访问控制错误漏洞,该漏洞源于节点和服务器默认获得 ssh 配置,允许使用密码身份验证进行 root 登录。
CVSS信息
N/A
漏洞类别
授权问题