First published: Tue Nov 14 2023(Updated: )
### Impact A node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to set a fake `parent_id` and send a task of a non-whitelisted algorithm. The node will then execute it because the `parent_id` that is set prevents checks from being run. Relevant node code [here](https://github.com/vantage6/vantage6/blob/version/4.1.1/vantage6-node/vantage6/node/docker/docker_manager.py#L265-L268) This impacts all servers that are breached by an expert user ### Patches Fixed in v4.1.2 ### Workarounds None
|Affected Software||Affected Version||How to fix|
The vulnerability ID for this issue is GHSA-vc3v-ppc7-v486.
The impact of this vulnerability is that a malicious party can execute a non-whitelisted algorithm by modifying the server's `parent_id` to set a fake value.
This vulnerability occurs because a node does not check if an image is allowed to run if a `parent_id` is set.
The severity rating of this vulnerability is high (CVSS 7.2).
To fix this vulnerability, update the vantage6-server package to version 4.1.2 or higher.