CVE-2024-0133

NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.

CVSS v3 3.4 LOW

3.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://nvidia.custhelp.com/app/answers/detail/a_id/5582	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

02 Oct 2024, 14:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nvidia:nvidia_gpu_operator:::::::: cpe:2.3:a:nvidia:nvidia_container_toolkit:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~4.1~~	v2 : unknown v3 : 3.4
First Time		Linux linux Kernel Nvidia nvidia Container Toolkit Nvidia nvidia Gpu Operator Nvidia Linux
References	~~() https://nvidia.custhelp.com/app/answers/detail/a_id/5582 -~~	() https://nvidia.custhelp.com/app/answers/detail/a_id/5582 - Vendor Advisory

26 Sep 2024, 13:32

Type	Values Removed	Values Added
Summary		(es) NVIDIA Container Toolkit 1.16.1 o versiones anteriores contienen una vulnerabilidad en el modo de funcionamiento predeterminado que permite que una imagen de contenedor especialmente manipulada cree archivos vacíos en el sistema de archivos del host. Esto no afecta a los casos de uso en los que se utiliza CDI. Una explotación exitosa de esta vulnerabilidad puede provocar la manipulación de datos.

26 Sep 2024, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-26 06:15

Updated : 2024-10-02 14:43

NVD link : CVE-2024-0133

Mitre link : CVE-2024-0133

CVE.ORG link : CVE-2024-0133

JSON object : View

Products Affected

linux

linux_kernel

nvidia

nvidia_gpu_operator
nvidia_container_toolkit

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2024-0133", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "psirt@nvidia.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.3}]}, "published": "2024-09-26T06:15:04.053", "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582", "tags": ["Vendor Advisory"], "source": "psirt@nvidia.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}]}, {"type": "Secondary", "source": "psirt@nvidia.com", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering."}, {"lang": "es", "value": "NVIDIA Container Toolkit 1.16.1 o versiones anteriores contienen una vulnerabilidad en el modo de funcionamiento predeterminado que permite que una imagen de contenedor especialmente manipulada cree archivos vac\u00edos en el sistema de archivos del host. Esto no afecta a los casos de uso en los que se utiliza CDI. Una explotaci\u00f3n exitosa de esta vulnerabilidad puede provocar la manipulaci\u00f3n de datos."}], "lastModified": "2024-10-02T14:43:22.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55455A6E-4257-4750-9A18-8D8A5EA029B7", "versionEndExcluding": "1.16.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28B17317-5E43-4842-BB41-6E459FAD3D40", "versionEndExcluding": "24.6.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@nvidia.com"}