CVE-2022-42279 — OS Command Injection in Nvidia DGX A100 Firmware

CWE-78 — OS Command Injection CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

8.8HIGHNVD

CNA7.2GHSA4.2

EPSS

0.6%

top 30.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nvidia DGX A100 Firmware Nvidia DGX Servers

Timeline

PublishedJan 13

Description

NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure and data tampering.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDnvidia/dgx_a100_firmware< 00.19.07

▶CVEListV5nvidia/nvidia_dgx_serversAll BMC firmware versions prior to 00.19.07

🔴Vulnerability Details

CVEList

CVE-2022-42279: NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can inject arbitrary shell commands, which may lead to code executio↗2023-01-13

▶

GHSA

GHSA-fqwv-634j-ggr9: NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can inject arbitrary shell commands, which may lead to code executio↗2023-01-13

▶

GHSA

Chakra Scripting Engine and ChakraCore Vulnerable to Memory Corruption↗2022-05-24

▶