We use cookies to improve your experience on our site.
AVID-2026-R1055
Description
Vulnerability CVE-2022-34668
Details
NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.
Reason for inclusion in AVID: CVE-2022-34668 concerns NVFlare, an AI/ML software framework used to build/deploy AI systems; the vulnerability is a deserialization (Pickle) issue enabling remote code execution, denial of service, and impacts to confidentiality and integrity within the AI software stack. This affects components in the AI supply chain (deployment/runtime of AI workloads) and is a security vulnerability with clear AI relevance.
References
- NVD entry
- https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6
- http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html
Affected or Relevant Artifacts
- Developer: NVIDIA
- Deployer: NVIDIA
- Artifact Details:
| Type | Name |
|---|---|
| System | NVIDIA FLARE |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 9.8 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502: Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-08-29
- Version: 0.3.3
- AVID Entry