—

PYSEC-2023-52

Details

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vantage6

Introduced in: 0 Fixed in: ab4381c35d24add06f75d5a8a284321f7a340bd2

Fix pip install --upgrade 'vantage6>=ab4381c35d24add06f75d5a8a284321f7a340bd2'

References

https://github.com/vantage6/vantage6/security/advisories/GHSA-36gx-9q6h-g429 [ADVISORY]
https://github.com/vantage6/vantage6/pull/281 [ADVISORY]
https://github.com/vantage6/vantage6/issues/59 [ADVISORY]
https://github.com/vantage6/vantage6/commit/ab4381c35d24add06f75d5a8a284321f7a340bd2 [FIX]