CVE-2022-31604

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31604

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31604.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-31604

Aliases

Published

2022-07-01T18:15:08Z

Modified

2024-05-14T11:58:28.821476Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

References

https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-rcxc-3w2m-mp8h

Affected packages

Git / github.com/nvidia/nvflare

Affected ranges

Type: GIT
Repo: https://github.com/nvidia/nvflare
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2b6e1b1e2e0da8636e636289e92266c42e3e6483

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.1.0

2.1.0a1

2.1.0a2

2.1.0rc1

2.1.0rc2

2.1.0rc3

2.1.0rc4

2.1.0rc5

2.1.1