CVE-2024-0113
EUVD-2024-1591412.08.2024, 13:38
NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information disclosure.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| nvidia | mlnx-os | 𝑥 < 3.10.4500 |
| nvidia | mlnx-os | 𝑥 < 3.12.1002 |
| nvidia | mlnx-os | 3.11.0000 ≤ 𝑥 < 3.11.2302 |
| nvidia | onyx | 𝑥 < 3.10.4504 |
| nvidia | mlnx-gw | 𝑥 < 8.1.4500 |
| nvidia | mlnx-gw | 𝑥 < 8.2.2300 |
| nvidia | nvda-os_xc | 𝑥 < 18.2.2200 |
| nvidia | mlnx-os | 𝑥 < 3.12.1002 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| nvidia | mellanox_os_firmware | 𝑥 ≤ 3.11.4000 | ADP |
| nvidia | mellanox_os_firmware | 𝑥 ≤ 3.11.2200 | ADP |
| nvidia | mellanox_os_firmware | 𝑥 ≤ 3.10.4400 | ADP |
| nvidia | skyway_firmware | 𝑥 ≤ 8.2.2200 | ADP |
| nvidia | skyway_firmware | 𝑥 ≤ 8.1.4400 | ADP |
| nvidia | metrox-2_firmware | 𝑥 ≤ 3.11.4000 | ADP |
| nvidia | metrox-3_xc_firmware | 𝑥 ≤ 18.2.2200 | ADP |
Common Weakness Enumeration
- CWE-35 - Path Traversal: '.../...//'The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.