Skip to content

Allocation of Resources Without Limits or Throttling in nvflare

High
IsaacYangSLA published GHSA-jx8f-cpx7-fv47 Mar 17, 2022

Package

pip nvflare (pip)

Affected versions

<2.0.16

Patched versions

2.0.16

Description

Impact

NVIDIA FLARE contains a vulnerability in Admin Interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable

All versions before 2.0.16 are affected.

Patches

The patch will be included in nvflare==2.0.16.

Workarounds

The changes in commits 93588b3 and 93588b3 can be applied to any version of the NVIDIA FLARE without any adverse effect.

Additional information

Issue Found on: 2022.3.3
Issue Found by: Oliver Sellwood (@Nintorac)

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-21822

Weaknesses

Credits