MEDIUM 6.5

PYSEC-2023-313

Details

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vantage6

Introduced in: 3.3.3 Fixed in: 3.8.0

Fix pip install --upgrade 'vantage6>=3.8.0'

References

https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429 [ADVISORY]
https://github.com/vantage6/vantage6/issues/59 [REPORT]
https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2 [FIX]
https://github.com/vantage6/vantage6/pull/281 [FIX]