Strix
26.1K

CVE-2024-21653

CRITICALCVSS 9.8/10EPSS 0.47%

Last modified

CVE-2024-21653 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. EPSS estimates a 0.47% chance of exploitation in the next 30 days.

Description

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.47%

36.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Vantage6Vantage6< 4.2.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-21653?
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
How severe is CVE-2024-21653?
CVE-2024-21653 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.
How do I fix CVE-2024-21653?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-21653?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST