






NVIDIA DGX A100/A800 contains a vulnerability in SBIOS where an attacker may cause improper input validation by providing configuration information in an unexpected format.  A successful exploit of this vulnerability may lead to denial of service, information disclosure, and data tampering.









**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑25521

The NVIDIA DGX A100 and A800 systems contain a vulnerability in SBIOS, where improper validation of an input parameter may lead to code execution, escalation of privileges, denial of service, information disclosure, and data tampering.

7.5

CWE-250  
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25522

The NVIDIA DGX A100 and A800 systems contain a vulnerability in SBIOS, where information that is provided in an unexpected format may cause improper validation of an input parameter, which may lead to denial of service, information disclosure, and data tampering.

7.5

CWE-20  
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following tables list the NVIDIA systems affected, firmware versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**Note:** To get the updated BMC and SBIOS versions listed in the tables, upgrade to the NVIDIA DGX A100 Firmware Update Container Version 23.06.3. Firmware updates are available through the NVIDIA Enterprise Support Portal.

**Security Advisory CVE IDs Addressed by NVIDIA**

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25521

NVIDIA DGX

NVIDIA DGX A100  
NVIDIA DGX A800

All SBIOS versions prior to 1.21

1.21

CVE‑2023‑25522

NVIDIA DGX

NVIDIA DGX A100  
NVIDIA DGX A800

All SBIOS versions prior to 1.21

1.21

**Security Advisory CVE IDs Addressed by AMI**

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2022‑26872  
CVE‑2022‑40259  
CVE‑2022‑2827  
CVE‑2022‑40242

NVIDIA DGX

NVIDIA DGX A100  
NVIDIA DGX A800

All BMC versions prior to 00.20.04

00.20.04

CVE‑2021‑26316  
CVE‑2021‑39298  
CVE‑2021‑26402  
CVE‑2022‑23813  
CVE‑2022‑23814  
CVE‑2021‑26328

NVIDIA DGX

NVIDIA DGX A100  
NVIDIA DGX A800

All SBIOS versions prior to 1.21

1.21

**Security Vulnerabilities Reported by AMI**

The following table lists potential security vulnerabilities in some AMI MegaRAC SP-X baseboard management controllers that have been reported by AMI. These vulnerabilities may allow user enumeration, unauthorized access, or arbitrary code execution. The NVIDIA DGX-1, NVIDIA DGX-2, NVIDIA DGX Station, and NVIDIA DGX Station A100 systems are not vulnerable to these issues.

**CVE ID**

**Severity**

**Vendor**

CVE‑2022‑40259

Critical

AMI

CVE‑2022‑26872

High

AMI

CVE‑2022‑2827

High

AMI

CVE‑2021‑26316

High

AMI

CVE‑2021‑39298

High

AMI

CVE‑2021‑26402

High

AMI

CVE‑2022‑40242

Medium

AMI

CVE‑2022‑23813

Medium

AMI

CVE‑2022‑23814

Medium

AMI

CVE‑2021‑26328

Medium

AMI

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 30, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25522: NVIDIA Support

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture.  IBM X-Force ID:  254036.

**Security Bulletin**

  

**Summary**

IBM i is vulnerable to a remote attacker executing CL commands due to an exploitation of DDM architecture as described in the vulnerability details section. IBM i has addressed the vulnerability in the DDM architecture as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2023-30990  
**DESCRIPTION:**   IBM i could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture.  
CVSS Base score: 5.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254036 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM i

7.5

IBM i

7.4

IBM i

7.3

IBM i

7.2

**Remediation/Fixes**

The issue can be fixed by applying a PTF to IBM i.  IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers for IBM i 5770-SS1 Base Operating System contain the fix for the vulnerability.

https://www.ibm.com/support/fixcentral

_Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Zoltan Panczel, Silent Signal.

**Change History**

30 Jun 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSB23CE","label":"IBM i 7.5 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SS9QQS","label":"IBM i 7.4 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.4.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0,7.4.0, 7.3.0, 7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSTS2D","label":"IBM i 7.3 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSC5L9","label":"IBM i 7.2 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-30990: IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture (CVE-2023-30990)




NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the nvdisasm binary file, where an attacker may cause a NULL pointer dereference by providing a user with a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.





**Details**

This section summarizes the potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors follow CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector and CWE**

CVE‑2023‑25523

NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in the nvdisasm binary file, where an attacker may cause a NULL pointer dereference by providing a user with a malformed ELF file. A successful exploit of this vulnerability may lead to a partial denial of service.

3.3

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L  
CWE-476

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.

**Security Updates**

The following table lists the software products and versions affected, and the updated version available from nvidia.com that includes this security update.

Download the update from the CUDA Toolkit Downloads page to apply the security update.

**CVEs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25523

NVIDIA CUDA Toolkit

Linux, Windows

All versions prior to CUDA Toolkit v12.2

CUDA Toolkit v12.2

**Notes**

*   Earlier software releases of this product are also affected. If you are using an earlier release, upgrade to the latest release version.

**Acknowledgements**

NVIDIA thanks the following people for reporting these issues:

CVE‑2023‑25523: Jifan Xiao

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 29, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25523: NVIDIA Support

Hero Qubo HCD01_02_V1.38_20220125 devices allow TELNET access with root privileges by default, without a password.

CVE-2023-22906


NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a guest OS may be able to control resources for which it is not authorized, which may lead to information disclosure and data tampering.



**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE-2022-34671

NVIDIA GPU Display Driver for Windows contains a vulnerability in the user-mode layer, where an unprivileged user can cause an out-of-bounds write, which may lead to code execution, information disclosure, and denial of service.

8.5

CWE: 787  
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25515

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability where unexpected untrusted data is parsed, which may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure.

7.8

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25516

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause an integer overflow, which may lead to information disclosure and denial of service.

7.1

CWE: 190  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

**NVIDIA vGPU Software**

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑25517

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a guest OS may be able to control resources for which it is not authorized, which may lead to information disclosure and data tampering.

7.1

CWE: 285  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Windows

R535

All driver versions prior to 536.23

536.23

Windows 10 and 11

R470

All drivers versions prior to 474.44 for support of GeForce Kepler desktop

474.44

Windows 7 and 8._x_

R470

All driver versions prior to 474.44

474.44

Studio

Windows

R535

All driver versions

Available the week of June 29, 2023

NVIDIA RTX, Quadro, NVS

Windows

R535

All driver versions prior to 536.25

536.25

R525

All driver versions prior to 529.11

529.11

R470

All driver versions prior to 474.44

474.44

Tesla

Windows

R535

All driver versions prior to 536.25

536.25

R525

All driver versions prior to 529.11

529.11

R470

All driver versions prior to 474.44

474.44

R450

All driver versions prior to 454.23

454.23

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE‑2023‑25515, CVE‑2023‑25516

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Linux

R535

All driver versions prior to 535.54.03

535.54.03

R525

All driver versions prior to 525.125.06

525.125.06

R470

All driver versions prior to 470.199.02

470.199.02

NVIDIA RTX, Quadro, NVS

Linux

R535

All driver versions prior to 535.54.03

535.54.03

R525

All driver versions prior to 525.125.06

525.125.06

R470

All driver versions prior to 470.199.02

470.199.02

Tesla

Linux

R535

All driver versions prior to 535.54.03

535.54.03

R525

All driver versions prior to 525.125.06

525.125.06

R470

All driver versions prior to 470.199.02

470.199.02

R450

All driver versions prior to 450.248.02

450.248.02

**Notes**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 536.19,531.87, 529.08, 574.44, and 454.23, which also contain the security updates.
*   The tables above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA vGPU Software****CVE IDs Addressed in Each Windows vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**CVE IDs Addressed in Each Linux vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux vGPU driver branch

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE‑2023‑25516

**CVE IDs Addressed in Each vGPU Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each vGPU Manager driver branch

**vGPU Manager Driver Branch**

**CVE IDs Addressed**

R535, R525

CVE‑2023‑25516, CVE‑2023‑25517

R470, R450

CVE‑2023‑25516

**Affected Products, Affected Versions, and Updated Versions**

The following table lists NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

Updated Version

**vGPU Software**

**Driver**

vGPU Software

Driver

CVE-2022-34671  
CVE‑2023‑25515

vGPU software (guest driver)

Windows

All versions prior to and including 15.2

528.89

15.3

529.11

All versions prior to and including 13.7

474.30

13.8

474.44

All versions prior to and including 11.12

454.14

11.13

454.23

CVE‑2023‑25516

vGPU software (guest driver)

Linux

All versions prior to and including 15.2

525.105.17

15.3

525.125.06

All versions prior to and including 13.7

470.182.03

13.8

470.199.02

All versions prior to and including 11.12

450.236.01

11.13

450.248.02

CVE‑2023‑25516  
CVE‑2023‑25517

vGPU software (Virtual GPU Manager)

Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM

All versions prior to and including 15.2

525.105.14

15.3

525.125.03

All versions prior to and including 13.7

470.182.02

13.8

470.199.03

All versions prior to and including 11.12

450.236.03

11.13

450.248.03

**Notes**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming****CVE IDs Addressed in Each Windows Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**CVE IDs Addressed in Each Linux Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux Cloud Gaming driver branch

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470, R450

CVE-2022-34671, CVE‑2023‑25515

**CVE IDs Addressed in Each Cloud Gaming Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each Cloud Gaming Manager driver branch

**vGPU Manager Driver Branch**

**CVE IDs Addressed**

R535, R525

CVE‑2023‑25516, CVE‑2023‑25517

R470, R450

CVE‑2023‑25516

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

**Cloud Gaming Software**

**Driver**

**Cloud Gaming Software**

**Driver**

CVE-2022-34671  
CVE‑2023‑25515

NVIDIA Cloud Gaming (guest driver)

Windows

All versions prior to and including May 2023 release

All versions prior to 531.79

June 2023 release

536.25

CVE‑2023‑25516

NVIDIA Cloud Gaming (guest driver)

Linux

All versions prior to and including May 2023 release

All versions prior to 530.51

June 2023 release

535.54.03

CVE‑2023‑25516  
CVE‑2023‑25517

NVIDIA Cloud Gaming (Virtual GPU Manager)

Red Hat Enterprise Linux KVM

All versions prior to and including May 2023 release

All versions prior to 530.51

June 2023 release

535.54.06

**Acknowledgements**

NVIDIA thanks the following people for reporting these issues:

CVE-2022-34671: Piotr Bania - Cisco Talos

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

June 26, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25517: NVIDIA Support

Buffer Overflow vulnerability in mtrojnar osslsigncode v.2.3 and before allows a local attacker to execute arbitrary code via a crafted .exe, .sys, and .dll files.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

*   Notifications
*   Fork 112

*   Code
*   Issues 7
*   Pull requests 2
*   Actions
*   Projects
*   Security
*   Insights

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ mtrojnar/osslsigncode _base:_ 2.2

_head repository:_ mtrojnar/osslsigncode _compare:_ 2.3

CVE-2023-36377: Comparing 2.2...2.3 · mtrojnar/osslsigncode

Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file.

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@nguyenngocquang700) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

CVE-2023-36291: Add SECURITY.md · Issue #500 · maxsite/cms

Cross Site Scripting vulnerability in mlogclub bbs-go v. 3.5.5. and before allows a remote attacker to execute arbitrary code via a crafted payload to the announcements parameter in the settings function.

CVE-2023-36223

Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows a remote to execute arbitrary code and obtain sensitive information via a crafted file to the readimg function.

Describe the bug:  
Hi, I found heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp

To Reproduce:  
Steps to reproduce the behavior:

1.  CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE\_CXX\_STANDARD=17
2.  make && make install
3.  iconvert poc /tmp/res

poc file:  
poc1.zip

Evidence:  
\==617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000a602 at pc 0x7f30d95a9823 bp 0x7ffc9cd71f10 sp 0x7ffc9cd71f08  
READ of size 1 at 0x60200000a602 thread T0  
#0 0x7f30d95a9822 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36  
#1 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#2 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#3 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#4 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#5 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#6 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#7 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#8 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#9 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#10 0x7f30d6b32e3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)  
#11 0x5620dabd1054 in \_start (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0x28054) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)

0x60200000a602 is located 10 bytes to the right of 8-byte region \[0x60200000a5f0,0x60200000a5f8)  
allocated by thread T0 here:  
#0 0x5620dac8ec6d in operator new(unsigned long) (/root/github/oiio-2.4.11.0\_1/dist/bin/iconvert+0xe5c6d) (BuildId: dee6af2e834643e5fa1ac02b9cc829ac746f39a2)  
#1 0x7f30d95a7924 in \_\_gnu\_cxx::new\_allocator::allocate(unsigned long, void const\*) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/ext/new\_allocator.h:127:27  
#2 0x7f30d95a7924 in std::allocator\_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/alloc\_traits.h:464:20  
#3 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_allocate(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:346:20  
#4 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_M\_create\_storage(unsigned long) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:361:33  
#5 0x7f30d95a7924 in std::\_Vector\_base<unsigned char, std::allocator >::\_Vector\_base(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:305:9  
#6 0x7f30d95a7924 in std::vector<unsigned char, std::allocator >::vector(unsigned long, std::allocator const&) /usr/lib/gcc/x86\_64-linux-gnu/11/../../../../include/c++/11/bits/stl\_vector.h:511:9  
#7 0x7f30d95a7924 in OpenImageIO\_v2\_4::ICOInput::readimg() /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:308:32  
#8 0x7f30d95aa6c2 in OpenImageIO\_v2\_4::ICOInput::read\_native\_scanline(int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:429:14  
#9 0x7f30d90fd4e0 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:399:19  
#10 0x7f30d90fd9c2 in OpenImageIO\_v2\_4::ImageInput::read\_native\_scanlines(int, int, int, int, int, int, int, void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:420:16  
#11 0x7f30d90fad9e in OpenImageIO\_v2\_4::ImageInput::read\_scanlines(int, int, int, int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:336:15  
#12 0x7f30d9109c51 in OpenImageIO\_v2\_4::ImageInput::read\_image(int, int, int, int, OpenImageIO\_v2\_4::TypeDesc, void\*, long, long, long, bool (_)(void_, float), void\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageinput.cpp:967:23  
#13 0x7f30d9197dd7 in OpenImageIO\_v2\_4::ImageOutput::copy\_image(OpenImageIO\_v2\_4::ImageInput\*) /root/github/oiio-2.4.11.0\_1/src/libOpenImageIO/imageoutput.cpp:588:19  
#14 0x5620dac9426c in convert\_file(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&) /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:449:27  
#15 0x5620dac99221 in main /root/github/oiio-2.4.11.0\_1/src/iconvert/iconvert.cpp:523:14  
#16 0x7f30d6b32d8f (/lib/x86\_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/github/oiio-2.4.11.0\_1/src/ico.imageio/icoinput.cpp:326:36 in OpenImageIO\_v2\_4::ICOInput::readimg()  
Shadow bytes around the buggy address:  
0x0c047fff9470: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9480: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd  
0x0c047fff9490: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 00 07  
0x0c047fff94a0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa  
0x0c047fff94b0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 fa  
\=>0x0c047fff94c0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==617==ABORTING

Platform information:  
OIIO branch/version: 2.4.12  
OS: Linux  
C++ compiler: clang-14.0.6

CVE-2023-36183: [BUG] Heap-buffer-overflow in function ICOInput::readimg in file src/ico.imageio/icoinput.cpp · Issue #3871 · OpenImageIO/oiio

Cross Site Scripting vulnerability in mlogclub bbs-go v. 3.5.5. and before allows a remote attacker to execute arbitrary code via a crafted payload to the comment parameter in the article function.

**漏洞名称**  
bbs-go 存储式跨站脚本漏洞

**受影响实体版本号**  
bbs-go <= 3.5.5

**漏洞类型**  
存储式跨站脚本

**危害等级**  
高危

**漏洞简介**  
bbs-go是一个使用Go语言搭建的开源社区系统，采用前后端分离技术，Go语言提供api进行数据支撑，用户界面使用Nuxt.js进行渲染，后台界面基于element-ui。  
bbs-go存在存储式跨站脚本漏洞，该漏洞源于程序未正确处理来自用户的输入。用户注册后在文章评论处可以注入恶意javascript脚本，管理员在管理端-内容管理-文章管理处点击查看评论时触发恶意脚本，导致泄露cookie等信息。  
以下产品及版本受到影响：bbs-go <= 3.5.5  
bbs-go的下载地址：https://github.com/mlogclub/bbs-go

**漏洞验证**  
前置条件：用户注册登录  
步骤：

1.  运行bbs-go = 3.5.5环境
2.  配置burpsuite抓包
3.  前台注册一个用户test4：

4.  test4登录
5.  点击“文章”，找到一篇文章，或者自己发表一篇文章

6.  评论，输入payload:并发布

完整请求报文：  
POST /api/comment/create HTTP/1.1  
Host: 192.168.111.130:3000  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
X-Client: bbs-go-site  
X-User-Token: 1c1c47cb70f447589944117cb339518b  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 100  
Origin: http://192.168.111.130:3000  
Connection: close  
Referer: http://192.168.111.130:3000/article/4  
Cookie: Hm\_lvt\_79b8ff82974d0769ef5c629e4cd46629=1677550437; Hm\_lpvt\_79b8ff82974d0769ef5c629e4cd46629=1677639532; Admin-Token=57581e925fad47688596c13f8a48803d; userToken=1c1c47cb70f447589944117cb339518b

entityType=article&entityId=4&content=%3Cimg%20src%20onerror%3Dalert%28123%29%3E&imageList=&quoteId=  
7\. 使用管理员账号admin/123456登录管理端，点击内容管理-文章管理，选择这篇文章，查看评论

触发XSS

**修复建议**  
bbs-go\\server\\controllers\\admin\\comment\_controller.go:71  
改为builder.Put("content", html.EscapeString(comment.Content))  
对comment.Content进行html实体编码可临时解决该漏洞。

Source

CVE