UNIX Symbolic Link (Symlink) Following Affecting github.com/nvidia/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-symlinks package, versions <1.17.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMNVIDIANVIDIACONTAINERTOOLKITCMDNVIDIACDIHOOKCREATESYMLINKS-8353105
  • published8 Nov 2024
  • disclosed5 Nov 2024
  • creditAndres Riancho, Ronen Shustin, Shir Tamari

Introduced: 5 Nov 2024

CVE-2024-0134  (opens in a new tab)
CWE-61  (opens in a new tab)

How to fix?

Upgrade github.com/NVIDIA/nvidia-container-toolkit/cmd/nvidia-cdi-hook/create-symlinks to version 1.17.0 or higher.

Overview

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following through the handling of container images. An attacker can create unauthorized files on the host by using a specially-crafted container image.

Note:

This is only exploitable if the attacker has the ability to deploy custom containers on the system.

CVSS Scores

version 4.0
version 3.1