CVE-2024-24770
Published: 14 March 2024
Summary
CVE-2024-24770 is a medium-severity Observable Timing Discrepancy (CWE-208) vulnerability in Vantage6 Vantage6. Its CVSS base score is 5.3 (Medium).
Operationally, ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0829
Vulnerability details
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost`…
more
and `/2fa/lost`. These routes send emails to users if they have lost their password or MFA token. This issue has been addressed in commit `aecfd6d0e` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.
Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.
Timing randomization or delays can mask true operation timing and mislead timing-based attacks.
Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.