search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/NVIDIA/nvidia-container-toolkit: GHSA-f748-7hpg-88ch #3237

Closed GoVulnBot closed 3 weeks ago

GoVulnBot commented 1 month ago

Advisory GHSA-f748-7hpg-88ch references a vulnerability in the following Go modules:

Module
github.com/NVIDIA/nvidia-container-toolkit

Description: NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.

References:

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/NVIDIA/nvidia-container-toolkit
      versions:
        - fixed: 1.16.2
      vulnerable_at: 1.16.1
summary: |-
    NVIDIA Container Toolkit allows specially crafted container image to create
    empty files on the host file system in github.com/NVIDIA/nvidia-container-toolkit
cves:
    - CVE-2024-0133
ghsas:
    - GHSA-f748-7hpg-88ch
references:
    - advisory: https://github.com/NVIDIA/nvidia-container-toolkit/security/advisories/GHSA-f748-7hpg-88ch
    - advisory: https://github.com/advisories/GHSA-f748-7hpg-88ch
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-0133
    - web: https://advisory-inbox.githubapp.com/advisory_reviews/GHSA-wqq7-v22c-gpfp
    - web: https://github.com/NVIDIA/libnvidia-container/security/advisories/GHSA-xff4-h7r9-vrpf
    - web: https://nvidia.custhelp.com/app/answers/detail/a_id/5582
source:
    id: GHSA-f748-7hpg-88ch
    created: 2024-10-29T20:01:21.234504509Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/623640 mentions this issue: data/reports: add 9 unreviewed reports