Fluid Attacks Database

Description

vantage6 does not properly delete linked resources when deleting a collaboration When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted.

This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect, where if a collaboration with id=10 is deleted, and subsequently a new collaboration is created with id=10, the authenticated users in that collaboration could potentially see results of the deleted collaboration in some cases, resulting in information disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	vantage6	>=0 <4.0.0	4.0.0

Aliases

1. CVE-2023-418812. NVD-2023-418813. OSV-2023-418814. GHSA-rf54-7qrr-96j65. GCVE-2023-41881

References

1. https://github.com/vantage6/vantage6/security/advisories/GHSA-rf54-7qrr-96j62. https://github.com/vantage6/vantage6/pull/7483. https://github.com/vantage6/vantage6/commit/cce9538f8b70e814c080dd0ae43b297f3af8a7324. https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-200.yaml5. https://github.com/vantage6/vantage6/blob/0682c4288f43fee5bcc72dc448cdd99bd7e57f76/docs/release_notes.rst#400

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.