漏洞标题
在vantage6中,CORS设置过于宽松。
漏洞描述信息
vantage6 是一个开源框架,旨在启用、管理和部署增强隐私的技术,如联邦学习和多方计算。vantage6 服务器的 CORS 设置没有任何限制。人们应该可以设置服务器允许的源。影响有限,因为 v6 不使用会话 cookie。这个问题已在提交 `70bb4e1d8` 中得到解决,并预计在后续版本中发布。建议用户在新版本可用时尽快升级。对于此漏洞,目前尚无已知的工作绕过方法。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
漏洞类别
源验证错误
漏洞标题
CORS settings overly permissive in vantage6
漏洞描述信息
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
漏洞类别
过度许可的跨域白名单
漏洞标题
vantage6 安全漏洞
漏洞描述信息
vantage6是vantage6开源的一个用于 Secure Insight eXchange 的开源 priVAcy preserviNg federalTed leArningG 基础架构。 vantage6 4.2.1之前版本存在安全漏洞,该漏洞源于对CORS设置没有限制。
CVSS信息
N/A
漏洞类别
其他