GHSA-JX8F-CPX7-FV47

Vulnerability from github – Published: 2022-03-18 23:18 – Updated: 2022-03-18 23:18
VLAI?
Summary
Allocation of Resources Without Limits or Throttling in nvflare
Details

Impact

NVIDIA FLARE contains a vulnerability in Admin Interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable

All versions before 2.0.16 are affected.

Patches

The patch will be included in nvflare==2.0.16.

Workarounds

The changes in commits https://github.com/NVIDIA/NVFlare/commit/93588b3a0dff9bd4568983071b74d8b420de3a6e and https://github.com/NVIDIA/NVFlare/commit/93588b3a0dff9bd4568983071b74d8b420de3a6e can be applied to any version of the NVIDIA FLARE without any adverse effect.

Additional information

Issue Found on: 2022.3.3 Issue Found by: Oliver Sellwood (@Nintorac)

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nvflare"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T23:18:43Z",
    "nvd_published_at": "2022-03-17T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nNVIDIA FLARE contains a vulnerability in Admin Interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable\n\nAll versions before 2.0.16 are affected.\n\n### Patches\nThe patch will be included in nvflare==2.0.16.\n\n### Workarounds\nThe changes in commits https://github.com/NVIDIA/NVFlare/commit/93588b3a0dff9bd4568983071b74d8b420de3a6e and https://github.com/NVIDIA/NVFlare/commit/93588b3a0dff9bd4568983071b74d8b420de3a6e  can be applied to any version of the NVIDIA FLARE without any adverse effect.\n\n### Additional information\nIssue Found on: 2022.3.3\nIssue Found by: Oliver Sellwood (@Nintorac)",
  "id": "GHSA-jx8f-cpx7-fv47",
  "modified": "2022-03-18T23:18:43Z",
  "published": "2022-03-18T23:18:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-jx8f-cpx7-fv47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21822"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NVIDIA/NVFlare"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Allocation of Resources Without Limits or Throttling in nvflare"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.