Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nYzU3LXhoaDUtbTk0cs4AA2cO
Improper Access Control in vantage6
Impact
The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, currently it is only checked if the user has permission to view the collaboration.
Patches
No
Workarounds
None
References
None
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nYzU3LXhoaDUtbTk0cs4AA2cO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-gc57-xhh5-m94r, CVE-2023-41882
References:
- https://github.com/vantage6/vantage6/security/advisories/GHSA-gc57-xhh5-m94r
- https://nvd.nist.gov/vuln/detail/CVE-2023-41882
- https://github.com/vantage6/vantage6/pull/711
- https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
- https://github.com/vantage6/vantage6/commit/86564e103cbac5238ce2fe392e3357e0e8c20220
- https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-201.yaml
- https://github.com/advisories/GHSA-gc57-xhh5-m94r
Blast Radius: 5.2
Affected Packages
pypi:vantage6
Dependent packages: 2Dependent repositories: 9
Downloads: 1,820 last month
Affected Version Ranges: < 4.0.0
Fixed in: 4.0.0
All affected versions: 0.0.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.9.0, 3.10.0, 3.10.1, 3.10.3, 3.10.4, 3.11.0, 3.11.1
All unaffected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.4