CVE-2023-41881: 
Python vulnerability analysis and mitigation

vantage6, a privacy preserving federated learning infrastructure, contained a vulnerability (CVE-2023-41881) where linked resources were not properly deleted when a collaboration was removed. The vulnerability affected versions prior to 4.0.0 and was discovered in October 2023. When a collaboration was deleted, associated resources such as tasks from that collaboration remained in the system, potentially leading to unauthorized access to deleted collaboration data if collaboration IDs were reused (GitHub Advisory).

The vulnerability stemmed from improper cleanup of linked resources when deleting collaborations. If a collaboration with a specific ID (e.g., id=10) was deleted and a new collaboration was later created with the same ID, authenticated users in the new collaboration could potentially access results from the previously deleted collaboration. This issue was related to incorrect ownership assignment (CWE-708) and exposure of sensitive information to unauthorized actors (CWE-200). The vulnerability received a CVSS v3.1 base score of 4.3 (MEDIUM) from NIST and 3.7 (LOW) from GitHub (NVD).

The primary impact of this vulnerability was the potential exposure of sensitive information from deleted collaborations. If collaboration IDs were reused, users in the new collaboration might gain unauthorized access to data from the previously deleted collaboration. This could lead to data privacy breaches and violation of data management principles (GitHub Advisory).

The vulnerability was patched in version 4.0.0 of vantage6, which implemented proper deletion of all linked resources when a collaboration is removed. No workarounds were available for earlier versions, making upgrading to version 4.0.0 or later the only solution (Release Notes).