CVE-2024-24770
CVSS V2 None
CVSS V3 None
Description
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`. These routes send emails to users if they have lost their password or MFA token. This issue has been addressed in commit `aecfd6d0e` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2024-24770
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-03-14T18:47:46.804Z
- Last Modified Date
- 2024-06-04T17:43:03.585Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/vantage6/vantage6/security/advisories/GHSA-5h3x-6gwf-73jm | x_refsource_CONFIRM |
| https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53 | x_refsource_MISC |
| https://github.com/vantage6/vantage6/commit/aecfd6d0e83165a41a60ebd52d2287b0217be26b | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-24770 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24770 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 03:54:39 | Added to TrackCVE |