CVE-2022-31604
Unsafe deserialisation in the PKI implementation scheme of NVFlare
9.8
CRITICAL
CVSS 3.1
EPSS 2.4%
Description
NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.
How to fix CVE-2022-31604
To remediate CVE-2022-31604, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.2 or later
- —upgrade to 2.1.2 or later
Is CVE-2022-31604 being exploited?
Low — EPSS is 2.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.1.2
- from 0, < 2.1.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |