Multiple vulnerabilities in NVIDIA Container Toolkit and GPU Operator
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-0135 CVE-2024-0136 CVE-2024-0137 |
| CWE-ID | CWE-653 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
NVIDIA Container Toolkit Other software / Other software solutions NVIDIA GPU Operator Other software / Other software solutions |
| Vendor | nVidia |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper isolation or compartmentalization
EUVDB-ID: #VU102817
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0135
CWE-ID:
CWE-653 - Improper isolation or compartmentalization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper isolation or compartmentalization. A remote administrator can use a specially crafted container image and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNVIDIA Container Toolkit: 1.17.0
NVIDIA GPU Operator: 24.9.0
CPE2.3- cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_container_toolkit:1.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:24.9.0:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5599
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper isolation or compartmentalization
EUVDB-ID: #VU102818
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0136
CWE-ID:
CWE-653 - Improper isolation or compartmentalization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper isolation or compartmentalization. A remote administrator can use a specially crafted container image and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNVIDIA Container Toolkit: 1.17.0
NVIDIA GPU Operator: 24.9.0
CPE2.3- cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_container_toolkit:1.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:24.9.0:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5599
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper isolation or compartmentalization
EUVDB-ID: #VU102819
Risk: Medium
CVSSv4.0: 0.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-0137
CWE-ID:
CWE-653 - Improper isolation or compartmentalization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improper isolation or compartmentalization, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNVIDIA Container Toolkit: 1.17.0
NVIDIA GPU Operator: 24.9.0
CPE2.3- cpe:2.3:a:nvidia:nvidia_container_toolkit:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_container_toolkit:1.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:*:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:nvidia_gpu_operator:24.9.0:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5599
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
