CVE-2023-31036 : NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability wh

NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where, when it is launched with the non-default command line option --model-control explicit, an attacker may use the model load API to cause a relative path traversal. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Published 2024-01-12 17:15:09

Updated 2024-01-18 20:45:53

Source NVIDIA Corporation

View at NVD, CVE.org

Vulnerability category: Directory traversalDenial of serviceInformation leak

Products affected by CVE-2023-31036

Nvidia » Triton Inference Server
Versions before (<) 2.40
cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-31036

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 37 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-31036

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2024-01-18
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	NVIDIA Corporation	2024-01-12
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-31036

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)
CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Assigned by: psirt@nvidia.com (Secondary)

References for CVE-2023-31036

https://nvidia.custhelp.com/app/answers/detail/a_id/5509

Security Bulletin: Triton Inference Server - December 2023 | NVIDIA
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-31036

Products affected by CVE-2023-31036

Exploit prediction scoring system (EPSS) score for CVE-2023-31036

CVSS scores for CVE-2023-31036

CWE ids for CVE-2023-31036

References for CVE-2023-31036