Описание
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
A flaw was found in the NVIDIA Container Toolkit for Linux. This vulnerability allows a crafted container image to gain access to the host file system via a Time-of-Check Time-of-Use (TOCTOU) flaw in the default configuration, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Отчет
This vulnerability in the NVIDIA container toolkit does not affect Red Hat products. Specially crafted container images are required for effective exploitation and none of the Red Hat signed containers are crafted in such a way as to allow exploitation. Our containers which include the nvidia toolkit comply with our operating procedures by utilizing the Container Device Interface (CDI). As noted in the Nvidia bulletin, the vulnerability does not impact use-cases where CDI is used. We’ve rated this as important vs critical in the event that non-signed container images, crafted by an attacker, are permitted to be deployed in an environment. This scenario is not typical.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | toolbox | Not affected | ||
| Red Hat Enterprise Linux 9 | toolbox | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | bootc-aws-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | bootc-azure-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | bootc-gcp-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | bootc-ibm-nvidia-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) | bootc-nvidia-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.3 High
CVSS3
Связанные уязвимости
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Уязвимость программного обеспечения для создания и запуска контейнеров NVIDIA Container Toolkit и программного средства для управления ресурсами NVIDIA GPU Operator, связанная с ошибками синхронизации при использовании общего ресурса («Ситуация гонки»), позволяющая нарушителю выполнить код
EPSS
8.3 High
CVSS3