Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-34668 — Deserialization of Untrusted Data in Nvidia Nvflare

CWE-502 — Deserialization of Untrusted Data6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

22.4%

top 4.16%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Nvidia Nvflare Nvidia Flare

Timeline

PublishedAug 29

Latest updateMar 25

Description

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDnvidia/nvflare< 2.1.4

▶PyPInvidia/nvflare< 2.1.4

▶CVEListV5nvidia/nvidia_flareAll versions prior to 2.1.4

🔴Vulnerability Details

GHSA

NVFLARE unsafe deserialization due to Pickle↗2022-08-31

▶

OSV

NVFLARE unsafe deserialization due to Pickle↗2022-08-31

▶

OSV

CVE-2022-34668: NVFLARE, versions prior to 2↗2022-08-29

▶

CVEList

CVE-2022-34668: NVFLARE, versions prior to 2↗2022-08-29

▶

💥Exploits & PoCs

Exploit-DB

NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle↗2023-03-25

▶