CVE-2024-0132 : NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use

NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Published 2024-09-26 05:18:33

Updated 2024-10-02 14:45:36

Source NVIDIA Corporation

View at NVD, CVE.org

Vulnerability category: Denial of serviceInformation leak

Products affected by CVE-2024-0132

Nvidia » Container Toolkit
Versions up to, including, (<=) 1.16.1
cpe:2.3:a:nvidia:container_toolkit:*:*:*:*:*:*:*:*
Matching versions
Nvidia » Nvidia Container Toolkit
Versions before (<) 1.16.2
cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
Nvidia » Nvidia Gpu Operator
Versions before (<) 24.6.2
cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2024-0132

EPSS FAQ

4.33%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 88 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-0132

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	N/A	N/A	NVIDIA Corporation	2024-09-26
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
8.3	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H	1.6	6.0	NIST	2024-10-02
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	2.3	6.0	NVIDIA Corporation	2024-09-26
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	N/A	N/A	RedHat-CVE-2024-0132	2024-09-26
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-0132

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
Assigned by:
- 9576f279-3576-44b5-a4af-b9a8644b2de6 (Primary)
- nvd@nist.gov (Primary)
- psirt@nvidia.com (Secondary)

References for CVE-2024-0132

https://nvidia.custhelp.com/app/answers/detail/a_id/5582

Security Bulletin: NVIDIA Container Toolkit - September 2024 | NVIDIA
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-0132

Products affected by CVE-2024-0132

Exploit prediction scoring system (EPSS) score for CVE-2024-0132

CVSS scores for CVE-2024-0132

CWE ids for CVE-2024-0132

References for CVE-2024-0132