CVE-2023-31036 — Relative Path Traversal in Nvidia Triton Inference Server

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal3 documents3 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

0.2%

top 52.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nvidia Triton Inference Server

Timeline

PublishedJan 12

Description

NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where, when it is launched with the non-default command line option --model-control explicit, an attacker may use the model load API to cause a relative path traversal. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDnvidia/triton_inference_server< 2.40

▶CVEListV5nvidia/triton_inference_serverAll versions prior to 2.40

🔴Vulnerability Details

GHSA

GHSA-vm7f-687f-4r4g: NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where, when it is launched with the non-default command line option --mo↗2024-01-12

▶

CVEList

CVE↗2024-01-12

▶