AVID-2026-R1412

Description

vantage6 insecure SSH configuration for node and server containers (CVE-2024-21653)

Details

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.

Reason for inclusion in AVID: CVE-2024-21653 concerns an insecure default SSH configuration in the vantage6 container deployment, a software component used to manage AI privacy-preserving workflows (federated learning/MPC). This is a software supply chain issue affecting containers/images used in AI systems, with remediation, CVSS details, and explicit references. It is a security vulnerability (unrestricted root login via SSH) that could impact AI pipelines if exploited.

References

• NVD entry
• https://github.com/vantage6/vantage6/security/advisories/GHSA-2wgc-48g2-cj5w
• https://github.com/vantage6/vantage6/commit/3fcc6e6a8bd1142fd7a558d8fdd2b246e55c8841

Affected or Relevant Artifacts

• Developer: vantage6
• Deployer: vantage6
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-01-30
• Version: 0.3.3
• AVID Entry