CVE-2024-0132

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://nvidia.custhelp.com/app/answers/detail/a_id/5582	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

02 Oct 2024, 14:45

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.0~~	v2 : unknown v3 : 8.3
References	~~() https://nvidia.custhelp.com/app/answers/detail/a_id/5582 -~~	() https://nvidia.custhelp.com/app/answers/detail/a_id/5582 - Vendor Advisory
CPE		cpe:2.3:a:nvidia:nvidia_container_toolkit:::::::: cpe:2.3:a:nvidia:nvidia_gpu_operator:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
First Time		Linux linux Kernel Nvidia nvidia Gpu Operator Nvidia Linux Nvidia nvidia Container Toolkit

26 Sep 2024, 13:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-26 06:15

Updated : 2024-10-02 14:45

NVD link : CVE-2024-0132

Mitre link : CVE-2024-0132

CVE.ORG link : CVE-2024-0132

JSON object : View

Products Affected

linux

linux_kernel

nvidia

nvidia_gpu_operator
nvidia_container_toolkit

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2024-0132", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "psirt@nvidia.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2024-09-26T06:15:02.397", "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5582", "tags": ["Vendor Advisory"], "source": "psirt@nvidia.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}]}, {"type": "Secondary", "source": "psirt@nvidia.com", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."}, {"lang": "es", "value": "NVIDIA Container Toolkit 1.16.1 o versiones anteriores contienen una vulnerabilidad de tipo TOCTOU (Time-of-check Time-of-Use) cuando se utiliza con la configuraci\u00f3n predeterminada, en la que una imagen de contenedor manipulada espec\u00edficamente puede obtener acceso al sistema de archivos del host. Esto no afecta a los casos de uso en los que se utiliza CDI. Una explotaci\u00f3n exitosa de esta vulnerabilidad puede provocar la ejecuci\u00f3n de c\u00f3digo, la denegaci\u00f3n de servicio, la escalada de privilegios, la divulgaci\u00f3n de informaci\u00f3n y la manipulaci\u00f3n de datos."}], "lastModified": "2024-10-02T14:45:36.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55455A6E-4257-4750-9A18-8D8A5EA029B7", "versionEndExcluding": "1.16.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28B17317-5E43-4842-BB41-6E459FAD3D40", "versionEndExcluding": "24.6.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@nvidia.com"}