CVE-2024-0134

NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://nvidia.custhelp.com/app/answers/detail/a_id/5585	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:nvidia:nvidia_container_toolkit::::::::
	cpe:2.3:a:nvidia:nvidia_gpu_operator::::::::

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

08 Nov 2024, 15:53

Type	Values Removed	Values Added
References	~~() https://nvidia.custhelp.com/app/answers/detail/a_id/5585 -~~	() https://nvidia.custhelp.com/app/answers/detail/a_id/5585 - Vendor Advisory
CPE		cpe:2.3:a:nvidia:nvidia_container_toolkit:::::::: cpe:2.3:a:nvidia:nvidia_gpu_operator:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
First Time		Nvidia Nvidia nvidia Container Toolkit Linux linux Kernel Linux Nvidia nvidia Gpu Operator
CWE		NVD-CWE-Other

06 Nov 2024, 18:17

Type	Values Removed	Values Added
Summary		(es) NVIDIA Container Toolkit y NVIDIA GPU Operator para Linux contienen una vulnerabilidad de UNIX en la que una imagen de contenedor especialmente manipulada puede provocar la creación de archivos no autorizados en el host. El nombre y la ubicación de los archivos no pueden ser controlados por un atacante. Una explotación exitosa de esta vulnerabilidad podría provocar la manipulación de datos.

05 Nov 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-05 19:15

Updated : 2024-11-08 15:53

NVD link : CVE-2024-0134

Mitre link : CVE-2024-0134

CVE.ORG link : CVE-2024-0134

JSON object : View

Products Affected

nvidia

nvidia_container_toolkit
nvidia_gpu_operator

linux

linux_kernel

CWE

NVD-CWE-Other CWE-61

UNIX Symbolic Link (Symlink) Following

{"id": "CVE-2024-0134", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "psirt@nvidia.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.3}]}, "published": "2024-11-05T19:15:05.203", "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5585", "tags": ["Vendor Advisory"], "source": "psirt@nvidia.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "psirt@nvidia.com", "description": [{"lang": "en", "value": "CWE-61"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering."}, {"lang": "es", "value": " NVIDIA Container Toolkit y NVIDIA GPU Operator para Linux contienen una vulnerabilidad de UNIX en la que una imagen de contenedor especialmente manipulada puede provocar la creaci\u00f3n de archivos no autorizados en el host. El nombre y la ubicaci\u00f3n de los archivos no pueden ser controlados por un atacante. Una explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda provocar la manipulaci\u00f3n de datos."}], "lastModified": "2024-11-08T15:53:40.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "004681E6-7D96-4A27-A5B1-F9E2D7EB5617", "versionEndExcluding": "1.17"}, {"criteria": "cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1338BFAB-73D4-4255-A33D-1016965C00F9", "versionEndExcluding": "24.9.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@nvidia.com"}