Skip to content

Unicode use in a user-controlled filename may cause a server-side DoS

High
titu1994 published GHSA-x392-p65g-4rxx Mar 27, 2024

Package

pip NVIDIA Neural Modules (pip)

Affected versions

NVIDIA Neural Modules 1.22.0

Patched versions

NVIDIA Neural Modules 1.22.1

Description

Description

NVIDIA has released a software security update for NVIDIA NeMo framework to address the issues that are disclosed in this bulletin. To protect your system, remove any pre-existing clone of the NVIDIA NeMo repository and instead clone the repository from the r1.23.0 branch or later (main branch).

CVE ID Description Vector Base Score Severity CWE Impacts
CVE-2024-0081 NVIDIA NeMo framework for Ubuntu contains a vulnerability in tools/asr_webapp where an attacker may cause an allocation of resources without limits or throttling. A successful exploit of this vulnerability may lead to a server-side denial of service. AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 8.6 High CWE-770 Denial of Service

Acknowledgements

NVIDIA thanks the below finder reporting this issue

CVE-2024-0081: sim4n6

Revision History

Revision Date Description
1.0 March 27, 2024 Initial release

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE ID

CVE-2024-0081

Weaknesses

Credits