CVE-2022-34668

high-risk

Published 2022-08-29

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

Do I need to act?

22.4% chance of exploitation in next 30 days

EPSS score — higher than 78% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

51051

Fix available

Upgrade to: 73cb64ca45f361126da1a26377357f756ddd900f

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Nvflare

Affected Vendors

Nvidia

References (4)

http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html

Third Party Advisory https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6

http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html

Third Party Advisory https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 5/34 · Minimal