{"id":"PYSEC-2023-196","details":"vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version 4.0.0 contains a patch. Users may specify JSON serialization as a workaround.","aliases":["CVE-2023-23930","GHSA-5m22-cfq9-86x6"],"modified":"2023-11-08T04:11:42.967546Z","published":"2023-10-11T18:15:00Z","references":[{"type":"WEB","url":"https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9"},{"type":"ADVISORY","url":"https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6"},{"type":"WEB","url":"https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400"},{"type":"FIX","url":"https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0"}],"affected":[{"package":{"name":"vantage6","ecosystem":"PyPI","purl":"pkg:pypi/vantage6"},"ranges":[{"type":"GIT","repo":"https://github.com/vantage6/vantage6","events":[{"introduced":"0"},{"fixed":"e62f03bacf2247bd59eed217e2e7338c3a01a5f0"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.2"}]}],"versions":["0.0.0","0.0.0b0","0.0.0b1","0.0.0b3","1.0.0","1.0.0a1","1.0.0a2","1.0.0b10","1.0.0b11","1.0.0b12","1.0.0b13","1.0.0b14","1.0.0b2","1.0.0b3","1.0.0b4","1.0.0b5","1.0.0b6","1.0.0b7","1.0.0b8","1.0.0b9","1.1.0","1.1.0rc1","1.1.0rc2","1.2.0","1.2.1","1.2.2","1.2.3","1.2.3.post2","2.0.0","2.0.0.post1","2.0.0a1","2.0.0a2","2.0.0a3","2.0.1rc1","2.0.1rc2","2.1.0","2.1.0rc1","2.1.1","2.2.0","2.2.0b1","2.2.0b2","2.2.0b3","2.2.0b4","2.2.1","2.2.10","2.2.11","2.2.12","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.3.0","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.0rc4","2.3.0rc5","2.3.1","2.3.2","2.3.2rc1","2.3.3","2.3.4","2.3.5","2.3.5b1","3.0.0","3.0.0b1","3.0.0b2","3.0.0b3","3.0.0b4","3.0.0b5","3.0.0b6","3.0.0b7","3.0.0b8","3.0.0rc1","3.0.1","3.0.2","3.0.3","3.0.4","3.1.0","3.1.0rc1","3.1.0rc5","3.1.0rc6","3.1.0rc7","3.1.0rc8","3.1.0rc9","3.1.1rc1","3.1.1rc2","3.10.0","3.10.0rc1","3.10.1","3.10.3","3.10.4","3.11.0","3.11.0rc1","3.11.0rc2","3.11.0rc3","3.11.1","3.2.0","3.2.0rc1","3.2.0rc2","3.2.0rc3","3.2.0rc4","3.2.0rc5","3.3.0","3.3.0a0","3.3.0rc1","3.3.0rc2","3.3.0rc3","3.3.0rc4","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.7a2","3.3.7a3","3.3.8a1","3.3.8a2","3.3.8a4","3.3.8a5","3.3.8a6","3.3.8a7","3.3.8a8","3.4.0","3.4.0a1","3.4.0a2","3.4.0a3","3.4.0a6","3.4.1","3.4.1a0","3.4.1a1","3.4.1a2","3.4.1a3","3.4.2","3.4.2a0","3.4.3","3.5.0","3.5.0rc1","3.5.0rc2","3.5.0rc3","3.5.1","3.5.2","3.6.0","3.6.1","3.6.1rc1","3.6.1rc2","3.6.1rc3","3.7.0","3.7.0rc1","3.7.0rc2","3.7.1","3.7.2","3.7.3","3.8.0","3.8.0rc3","3.8.1","3.8.2","3.8.2rc1","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.7rc1","3.8.8","3.8.8rc1","3.8.8rc2","3.8.8rc3","3.9.0","3.9.0rc2","3.9.0rc4","4.0.0","4.0.0a10","4.0.0a2","4.0.0a3","4.0.0a4","4.0.0a5","4.0.0a6","4.0.0a7","4.0.0a8","4.0.0a9","4.0.1","4.0.1rc2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/vantage6/PYSEC-2023-196.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}