{"id":"GHSA-vc3v-ppc7-v486","summary":"vantage6-server node accepts non-whitelisted algorithms from malicious server","details":"### Impact\nA node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. Relevant node code [here](https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268)\n\nThis impacts all servers that are breached by an expert user\n\n### Patches\nFixed in v4.1.2\n\n### Workarounds\nNone\n\n","aliases":["CVE-2023-47631","PYSEC-2023-303","PYSEC-2023-304"],"modified":"2024-11-22T20:46:27.023910Z","published":"2023-11-14T22:21:57Z","related":["CVE-2023-47631"],"database_specific":{"cwe_ids":["CWE-345","CWE-358"],"nvd_published_at":"2023-11-14T21:15:13Z","github_reviewed_at":"2023-11-14T22:21:57Z","severity":"HIGH","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-vc3v-ppc7-v486"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47631"},{"type":"WEB","url":"https://github.com/vantage6/vantage6/commit/bf83521eb12fa80aa5fc92ef1692010a9a7f8243"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/vantage6-node/PYSEC-2023-303.yaml"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/vantage6-server/PYSEC-2023-304.yaml"},{"type":"PACKAGE","url":"https://github.com/vantage6/vantage6"},{"type":"WEB","url":"https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268"}],"affected":[{"package":{"name":"vantage6-server","ecosystem":"PyPI","purl":"pkg:pypi/vantage6-server"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.2"}]}],"versions":["0.0.0","0.0.0b0","0.0.0b1","0.0.0b3","1.0.0","1.0.0b11","1.0.0b12","1.0.0b13","1.0.0b14","1.0.0b2","1.0.0b3","1.0.0b4","1.0.0b5","1.0.0b6","1.0.0b7","1.0.0b8","1.0.0b9","1.0.1","1.2.0","1.2.1","1.2.2","1.2.3","1.2.3.post1","2.0.0","2.0.0.post1","2.0.0a1","2.0.0a2","2.0.0a3","2.0.1rc1","2.0.1rc2","2.1.0","2.1.0rc1","2.1.1","2.1.2","2.1.3b1","2.1.3b2","2.1.3b3","2.1.3b4","2.2.0","2.2.0b1","2.2.0b2","2.2.0b3","2.2.0b4","2.2.1","2.2.10","2.2.11","2.2.12","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.3.0","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.0rc4","2.3.0rc5","2.3.1","2.3.2","2.3.2rc1","2.3.3","2.3.4","2.3.5","2.3.5b1","3.0.0","3.0.0b1","3.0.0b3","3.0.0b4","3.0.0b5","3.0.0b6","3.0.0b7","3.0.0b8","3.0.0rc1","3.0.1","3.0.2","3.0.3","3.0.4","3.1.0","3.1.0rc1","3.1.0rc5","3.1.0rc6","3.1.0rc7","3.1.0rc8","3.1.0rc9","3.1.1rc1","3.1.1rc2","3.10.0","3.10.0rc1","3.10.1","3.10.3","3.10.4","3.11.0","3.11.0rc1","3.11.0rc2","3.11.0rc3","3.11.1","3.2.0","3.2.0rc1","3.2.0rc2","3.2.0rc3","3.2.0rc4","3.2.0rc5","3.3.0","3.3.0a0","3.3.0rc1","3.3.0rc2","3.3.0rc3","3.3.0rc4","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.7a2","3.3.7a3","3.3.8a1","3.3.8a2","3.3.8a4","3.3.8a5","3.3.8a6","3.3.8a7","3.3.8a8","3.4.0","3.4.0a1","3.4.0a2","3.4.0a3","3.4.0a6","3.4.1","3.4.1a0","3.4.1a1","3.4.1a2","3.4.1a3","3.4.2","3.4.2a0","3.4.3","3.5.0","3.5.0rc1","3.5.0rc2","3.5.0rc3","3.5.1","3.5.2","3.6.0","3.6.1","3.6.1rc1","3.6.1rc2","3.6.1rc3","3.7.0","3.7.0rc1","3.7.0rc2","3.7.1","3.7.2","3.7.3","3.8.0","3.8.0rc3","3.8.1","3.8.2","3.8.2rc1","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.7rc1","3.8.8","3.8.8rc1","3.8.8rc2","3.8.8rc3","3.9.0","3.9.0rc2","3.9.0rc4","4.0.0","4.0.0a10","4.0.0a2","4.0.0a3","4.0.0a4","4.0.0a5","4.0.0a6","4.0.0a7","4.0.0a8","4.0.0a9","4.0.1","4.0.1rc2","4.0.2","4.0.3","4.1.0","4.1.0b0","4.1.0b1","4.1.0rc0","4.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vc3v-ppc7-v486/GHSA-vc3v-ppc7-v486.json"}},{"package":{"name":"vantage6-node","ecosystem":"PyPI","purl":"pkg:pypi/vantage6-node"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.2"}]}],"versions":["0.0.0","0.0.0b0","0.0.0b1","0.0.0b3","1.0.0","1.0.0b11","1.0.0b12","1.0.0b13","1.0.0b14","1.0.0b2","1.0.0b3","1.0.0b4","1.0.0b5","1.0.0b6","1.0.0b7","1.0.0b8","1.0.0b9","1.1.0","1.1.0rc1","1.1.0rc2","1.2.0","1.2.1","1.2.2","1.2.3","1.2.3.post2","2.0.0","2.0.0.post1","2.0.0a1","2.0.0a2","2.0.0a3","2.0.1rc1","2.0.1rc2","2.1.0","2.1.0rc1","2.2.0","2.2.0b1","2.2.0b2","2.2.0b3","2.2.0b4","2.2.1","2.2.10","2.2.11","2.2.12","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.3.0","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.0rc4","2.3.0rc5","2.3.1","2.3.2","2.3.2rc1","2.3.3","2.3.4","2.3.5","2.3.5b1","3.0.0","3.0.0b1","3.0.0b1.post1","3.0.0b3","3.0.0b4","3.0.0b5","3.0.0b6","3.0.0b7","3.0.0b8","3.0.0rc1","3.0.1","3.0.2","3.0.3","3.0.4","3.1.0","3.1.0rc1","3.1.0rc5","3.1.0rc6","3.1.0rc7","3.1.0rc8","3.1.0rc9","3.1.1rc1","3.1.1rc2","3.10.0","3.10.0rc1","3.10.1","3.10.3","3.10.4","3.11.0","3.11.0rc1","3.11.0rc2","3.11.0rc3","3.11.1","3.2.0","3.2.0rc1","3.2.0rc2","3.2.0rc3","3.2.0rc4","3.2.0rc5","3.3.0","3.3.0a0","3.3.0rc1","3.3.0rc2","3.3.0rc3","3.3.0rc4","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.7a2","3.3.7a3","3.3.8a1","3.3.8a2","3.3.8a4","3.3.8a5","3.3.8a6","3.3.8a7","3.3.8a8","3.4.0","3.4.0a1","3.4.0a2","3.4.0a3","3.4.0a6","3.4.1","3.4.1a0","3.4.1a1","3.4.1a2","3.4.1a3","3.4.2","3.4.2a0","3.4.3","3.5.0","3.5.0rc1","3.5.0rc2","3.5.0rc3","3.5.1","3.5.2","3.6.0","3.6.1","3.6.1rc1","3.6.1rc2","3.6.1rc3","3.7.0","3.7.0rc1","3.7.0rc2","3.7.1","3.7.2","3.7.3","3.8.0","3.8.0rc3","3.8.1","3.8.2","3.8.2rc1","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.7rc1","3.8.8","3.8.8rc1","3.8.8rc2","3.8.8rc3","3.9.0","3.9.0rc2","3.9.0rc4","4.0.0","4.0.0a10","4.0.0a2","4.0.0a3","4.0.0a4","4.0.0a5","4.0.0a6","4.0.0a7","4.0.0a8","4.0.0a9","4.0.1","4.0.1rc2","4.0.2","4.0.3","4.1.0","4.1.0b0","4.1.0b1","4.1.0rc0","4.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vc3v-ppc7-v486/GHSA-vc3v-ppc7-v486.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}