pysec - pysec-2022-232

pysec-2022-232

Vulnerability from pysec

Published

2022-07-01 18:15

Modified

2023-06-05 01:12

Details

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nvflare",
        "purl": "pkg:pypi/nvflare"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.3",
        "0.9.0",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.1.0",
        "1.1.1",
        "2.0.0",
        "2.0.1",
        "2.0.10",
        "2.0.11",
        "2.0.12",
        "2.0.13",
        "2.0.14",
        "2.0.15",
        "2.0.16",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5",
        "2.0.6",
        "2.0.7",
        "2.0.8",
        "2.0.9",
        "2.1.0",
        "2.1.1",
        "2.0.18",
        "2.0.19"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31605",
    "GHSA-hrf3-622q-8366"
  ],
  "details": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.",
  "id": "PYSEC-2022-232",
  "modified": "2023-06-05T01:12:56.865026Z",
  "published": "2022-07-01T18:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"
    }
  ]
}

cve-2022-31605

Vulnerability from cvelistv5

Published

2022-07-01 17:15

Modified

2024-08-03 07:26

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366	x_refsource_MISC

Impacted products

▼	Vendor	Product
	NVIDIA	NVIDIA FLARE

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:26:00.993Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "NVIDIA FLARE",
          "vendor": "NVIDIA",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to 2.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-01T17:15:22",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@nvidia.com",
          "ID": "CVE-2022-31605",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "NVIDIA FLARE",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to 2.1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "NVIDIA"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 9.8,
            "baseSeverity": "High",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502: Allocation of Resources Without Limits or Throttling"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366",
              "refsource": "MISC",
              "url": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2022-31605",
    "datePublished": "2022-07-01T17:15:22",
    "dateReserved": "2022-05-24T00:00:00",
    "dateUpdated": "2024-08-03T07:26:00.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

ghsa-hrf3-622q-8366

Vulnerability from github

Published

2022-06-22 21:22

Modified

2022-06-22 21:22

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Unsafe yaml deserialization in NVFlare

Details

Impact

NVFLARE contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

All versions before 2.1.2 are affected. CVSS Score = 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patches

The patch will be included in nvflare==2.1.2

Workarounds

Change yaml.load() to yaml.safe_load()

Additional information

Issue Found by: Oliver Sellwood (@Nintorac)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {
        "affected_functions": [
          "nvflare.lighter.provision.main",
          "nvflare.lighter.utils.load_yaml"
        ]
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "nvflare"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-22T21:22:46Z",
    "nvd_published_at": "2022-07-01T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nNVFLARE contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.\n\nAll versions before 2.1.2 are affected.\nCVSS Score = 9.8\n[AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln-metrics%2Fcvss%2Fv3-calculator%3Fvector%3DAV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AN%2FS%3AU%2FC%3AH%2FI%3AH%2FA%3AH\u0026data=05%7C01%7Cchesterc%40nvidia.com%7Ce9600bde16854b0b380008da4fc544f7%7C43083d15727340c1b7db39efd9ccc17a%7C0%7C0%7C637910005925574215%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C\u0026sdata=5kBrXEmAbqp8R31JCH%2FG95MUly72UPVihnBwiRFmvBY%3D\u0026reserved=0)\n\n\n### Patches\n\nThe patch will be included in nvflare==2.1.2\n\n\n### Workarounds\nChange yaml.load() to yaml.safe_load()\n\n### Additional information\nIssue Found by: Oliver Sellwood (@Nintorac)\n\n",
  "id": "GHSA-hrf3-622q-8366",
  "modified": "2022-06-22T21:22:46Z",
  "published": "2022-06-22T21:22:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31605"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NVIDIA/NVFlare/commit/4de9782697ecb12f39bcae83221bd8d3498959be"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NVIDIA/NVFlare"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-232.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unsafe yaml deserialization in NVFlare"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2022-232

Vulnerability from pysec

cve-2022-31605

Vulnerability from cvelistv5

ghsa-hrf3-622q-8366

Vulnerability from github

Impact

Patches

Workarounds

Additional information

Tags

Sightings

Nomenclature