NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure.
The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) indicates that an attacker can gain access to protected resources or server functions through an alternative path or communication channel, bypassing standard authentication mechanisms. The attack requires no privileges or user interaction and can be conducted remotely over the network. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms low attack complexity and no prerequisites.
An attacker can execute arbitrary code on the server (RCE), obtain elevated privileges, modify model or inference request data, cause service unavailability (DoS), or disclose sensitive information processed by the server.
Apply patches available from the vendor in accordance with the references — detailed information about patched versions is available in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5828. Until patches are applied, it is recommended to restrict network access to Triton Inference Server instances through firewall or network segmentation mechanisms.
NVIDIA Triton Inference Server — versions indicated in vendor references (NVIDIA security advisory ID 5828)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinuxwszystkie wersjeNvidia Triton Inference Server
APPNvidia< 26.03
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...