Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tamp3LTU1M3gtODdwcc4ABAzA

NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Permalink: https://github.com/advisories/GHSA-mjjw-553x-87pq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tamp3LTU1M3gtODdwcc4ABAzA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 8 days ago
Updated: 8 days ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-mjjw-553x-87pq, CVE-2024-0132
References:

• https://github.com/NVIDIA/gpu-operator/security/advisories/GHSA-95rf-r6p4-44h7
• https://github.com/NVIDIA/libnvidia-container/security/advisories/GHSA-q2v4-jw5g-9xxj
• https://github.com/NVIDIA/nvidia-container-toolkit/security/advisories/GHSA-mjjw-553x-87pq
• https://nvd.nist.gov/vuln/detail/CVE-2024-0132
• https://nvidia.custhelp.com/app/answers/detail/a_id/5582
• https://github.com/advisories/GHSA-mjjw-553x-87pq

Repository: https://github.com/NVIDIA/gpu-operator
Blast Radius: 10.7

Affected Packages