CVE-2024-0113 – NVIDIA Onyx Directory Traversal Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2024-0113

NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information disclosure. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NVIDIA Onyx switches. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /admin/launch endpoint. When parsing the script query parameter, the process does not properly validate a user-supplied path prior to using it in file operations. • https://nvidia.custhelp.com/app/answers/detail/a_id/5563 • CWE-35: Path Traversal: '.../ •