Cyber Resilience

CVE-2024-21649

HighRCE

Published: 30 January 2024

Published
30 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0610 91.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21649 is a high-severity Code Injection (CWE-94) vulnerability in Vantage6 Vantage6. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-21649 affects the vantage6 platform, which manages deployment of privacy-enhancing technologies including Federated Learning and Multi-Party Computation. Prior to version 4.2.0 the software permitted authenticated users to perform code injection via algorithm environment variables, corresponding to CWE-94 and carrying a CVSS 3.1 score of 8.8.

An attacker with a valid vantage6 account can supply malicious values that are later executed inside algorithm containers, resulting in remote code execution with full confidentiality, integrity, and availability impact on the affected node.

The vulnerability is addressed in the 4.2.0 release; the project’s GitHub Security Advisory GHSA-w9h2-px87-74vx and the associated commit eac19db737145d3ca987adf037a454fae0790ddd document the patch that removes the unsanitized environment-variable path.

EPSS remains flat at 0.0610 with no material post-disclosure increase, while the technology’s focus on federated workloads makes the issue relevant to organizations running distributed privacy-preserving analytics.

EU & UK References

Vulnerability details

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched…

more

in 4.2.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vantage6
vantage6
≤ 4.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References