Miggo Logo
Miggo Vulnerability Database
CVE-2024-22193

CVE-2024-22193: vantage6 may create unencrypted tasks in encrypted collaboration

3.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-22193
GHSA ID
GHSA-rjmv-52mp-gjrr
EPSS Score
0.42107%
CWE
CWE-922
Published
1/30/2024
Updated
2/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
vantage6pip< 4.2.04.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing encryption validation in the task creation workflow. The patch adds a new _check_input_encryption method and calls it from post_task, indicating this was the vulnerable entry point. The pre-patch version of post_task proceeded with task creation without verifying if unencrypted input was being stored in an encrypted collaboration, violating the intended security controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T**r* *r* no ****ks on w**t**r t** input is *n*rypt** i* * t*sk is *r**t** in *n *n*rypt** *oll**or*tion. T**r**or*, * us*r m*y ***i**nt*lly *r**t* * t*sk wit* s*nsitiv* input **t* t**t will t**n ** stor** un*n*rypt** in * **t***s*. ### W

Reasoning

T** vuln*r**ility st*mm** *rom missin* *n*ryption v*li**tion in t** t*sk *r**tion work*low. T** p*t** ***s * n*w _****k_input_*n*ryption m*t*o* *n* **lls it *rom post_t*sk, in*i**tin* t*is w*s t** vuln*r**l* *ntry point. T** pr*-p*t** v*rsion o* post