AVID-2026-R1411

Description

Remote code execution (CVE-2024-21649)

Details

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.

Reason for inclusion in AVID: CVE-2024-21649 describes a remote code execution vulnerability in the vantage6 platform (pre-4.2.0) that can be exploited via algorithm environment variables. Vantage6 is an AI tooling/platform used to manage and deploy federated learning and MPC workflows, i.e., software used in AI pipelines. This is a software vulnerability affecting a component used to build/deploy AI systems, not hardware/firmware. It is a security vulnerability with high impact (RCE) and has a published patch. Therefore it should be kept for AVID curation as a general-purpose AI software supply chain vulnerability.

References

• NVD entry
• https://github.com/vantage6/vantage6/security/advisories/GHSA-w9h2-px87-74vx
• https://github.com/vantage6/vantage6/commit/eac19db737145d3ca987adf037a454fae0790ddd

Affected or Relevant Artifacts

• Developer: vantage6
• Deployer: vantage6
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-01-30
• Version: 0.3.3
• AVID Entry