CVE-2024-0133
Package
NVIDIA GPU Operator
(Kubernetes Operator)
Affected versions
< 24.6.1
Patched versions
24.6.2
libnvidia-container-tools
(Debian / RPM packages)
< 1.16.2
1.16.2
libnvidia-container1
(Debian / RPM packages)
< 1.16.2
1.16.2
Description
NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to data tampering.
Patches
The fix has been addressed in
v1.16.2
of thelibnvidia-container*
packages that are bundled with the NVIDIA Container Toolkit v1.16.2.NVIDIA GPU Operator 24.6.2 supports NVIDIA Container Toolkit v1.16.2 and uses it by default.
References