CVE-2023-23930: vantage6's Pickle serialization is insecure
First published: Wed Oct 11 2023(Updated: )
### What We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9). In summary, it is not advisable to open Pickles that you create yourself locally. In vantage6, algorithms use pickles to send aggregated data around and to pack algorithm input or output. All of the Python algorithms that use the wrappers with default serialization are therefore vulnerable to this issue. Solution: we should use JSON instead ### Impact All users of vantage6 that post tasks with algorithms that use the default serialization. The default serialization is used by default with all algorithm wrappers. ### Patches Not yet ### Workarounds Specify JSON serialization
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/vantage6 | <4.0.2 | 4.0.2 |
| Vantage6 | <4.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400
- https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0
- https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6
- https://medium.com/ochrona/python-pickle-is-notoriously-insecure-d6651f1974c9
- https://nvd.nist.gov/vuln/detail/CVE-2023-23930
- https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-196.yaml
- https://github.com/advisories/GHSA-5m22-cfq9-86x6 (Advisory)
Frequently Asked Questions
What is CVE-2023-23930?
CVE-2023-23930 is a vulnerability in vantage6, a privacy preserving federated learning infrastructure, versions prior to 4.0.0 that use pickle as the default serialization module with known security issues.
How does CVE-2023-23930 impact vantage6?
CVE-2023-23930 can allow an attacker to open Pickles that are created locally, potentially leading to unauthorized access or execution of arbitrary code in vantage6.
What is the severity of CVE-2023-23930?
CVE-2023-23930 has a severity level of 7.2 (high) according to the Common Vulnerability Scoring System (CVSS).
How can I fix CVE-2023-23930?
To fix CVE-2023-23930, it is recommended to update vantage6 to version 4.0.0 or later, which no longer uses pickle as the default serialization module.
Where can I find more information about CVE-2023-23930?
You can find more information about CVE-2023-23930 in the following references: [Reference 1](https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400), [Reference 2](https://github.com/vantage6/vantage6/commit/e62f03bacf2247bd59eed217e2e7338c3a01a5f0), [Reference 3](https://github.com/vantage6/vantage6/security/advisories/GHSA-5m22-cfq9-86x6).
- agent/type
- agent/weakness
- agent/references
- agent/title
- agent/author
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5m22-cfq9-86x6
- alias/CVE-2023-23930
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- package-manager/pip
- vendor/vantage6
- canonical/vantage6