CVE-2022-28195 - OpenCVE

NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_read_file function, where insufficient validation of untrusted data may allow a highly privileged local attacker to cause a integer overflow, which may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity. The scope of impact can extend to other components.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nvidia	Jetson Agx Xavier Jetson Linux Jetson Xavier Nx

Configuration 1 [-]

AND

cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:nvidia:jetson_agx_xavier:-:::::::*
	cpe:2.3:h:nvidia:jetson_xavier_nx:-:::::::*

No data.

References

Link	Providers
https://nvidia.custhelp.com/app/answers/detail/a_id/5343

History

No history.

MITRE

Status: PUBLISHED

Assigner: nvidia

Published: 2022-04-27T17:57:35

Updated: 2024-08-03T05:48:37.504Z

Reserved: 2022-03-30T00:00:00

Link: CVE-2022-28195

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-27T18:15:08.037

Modified: 2022-10-14T11:20:28.217

Link: CVE-2022-28195

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Jetson AGX Xavier series, Jetson Xavier NX", "vendor": "NVIDIA", "versions": [{"status": "affected", "version": "All 32.x versions prior to 32.7.2"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_read_file function, where insufficient validation of untrusted data may allow a highly privileged local attacker to cause a integer overflow, which may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity. The scope of impact can extend to other components."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-30T18:00:18", "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "shortName": "nvidia"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5343"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@nvidia.com", "ID": "CVE-2022-28195", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jetson AGX Xavier series, Jetson Xavier NX", "version": {"version_data": [{"version_value": "All 32.x versions prior to 32.7.2"}]}}]}, "vendor_name": "NVIDIA"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_read_file function, where insufficient validation of untrusted data may allow a highly privileged local attacker to cause a integer overflow, which may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity. The scope of impact can extend to other components."}]}, "impact": {"cvss": {"baseScore": 5.7, "baseSeverity": "Medium", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://nvidia.custhelp.com/app/answers/detail/a_id/5343", "refsource": "MISC", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5343"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:48:37.504Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5343"}]}]}, "cveMetadata": {"assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6", "assignerShortName": "nvidia", "cveId": "CVE-2022-28195", "datePublished": "2022-04-27T17:57:35", "dateReserved": "2022-03-30T00:00:00", "dateUpdated": "2024-08-03T05:48:37.504Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:nvidia:jetson_linux:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C65BE02-61B8-4A4D-84A8-52BCA6895C34", "versionEndExcluding": "32.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:nvidia:jetson_agx_xavier:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DD3D2AA-2A9F-470D-BB0F-A7B7C2EC2490", "vulnerable": false}, {"criteria": "cpe:2.3:h:nvidia:jetson_xavier_nx:-:*:*:*:*:*:*:*", "matchCriteriaId": "B0AA5976-FD71-4A53-BD4F-D342E871FEB0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_read_file function, where insufficient validation of untrusted data may allow a highly privileged local attacker to cause a integer overflow, which may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity. The scope of impact can extend to other components."}, {"lang": "es", "value": "El paquete de controladores de NVIDIA Jetson para Linux contiene una vulnerabilidad en la funci\u00f3n Cboot ext4_read_file, en la que una validaci\u00f3n insuficiente de los datos que no son de confianza puede permitir a un atacante local con muchos privilegios provocar un desbordamiento de enteros, lo que puede dar lugar a la ejecuci\u00f3n de c\u00f3digo, una escalada de privilegios, una denegaci\u00f3n de servicio limitada y cierto impacto en la confidencialidad y la integridad. El alcance del impacto puede extenderse a otros componentes"}], "id": "CVE-2022-28195", "lastModified": "2022-10-14T11:20:28.217", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 3.7, "source": "psirt@nvidia.com", "type": "Secondary"}]}, "published": "2022-04-27T18:15:08.037", "references": [{"source": "psirt@nvidia.com", "tags": ["Vendor Advisory"], "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5343"}], "sourceIdentifier": "psirt@nvidia.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@nvidia.com", "type": "Secondary"}]}