Fate
Monthly
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.