HIGH 8.8

PYSEC-2024-30

Details

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vantage6

Introduced in: 0 Fixed in: eac19db737145d3ca987adf037a454fae0790ddd

Fix pip install --upgrade 'vantage6>=eac19db737145d3ca987adf037a454fae0790ddd'

References

https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx [ADVISORY]
https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd [FIX]