NvidiaNVIDIA:5318Security Bulletin: NVIDIA Omniverse Launcher - January 2022
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
69.5%
NVIDIA has released a software update for NVIDIA Omniverse Launcher to address a security issue that may lead to privilege escalation, impacting confidentiality and integrity.
To protect your system, open the Omniverse Launcher client which will automatically apply the security update. Alternatively, you can download and install this software update from the Omniverse Downloads page.
Go to NVIDIA Product Security.
Details
This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.
| CVE ID | Description | Base Score | Vector |
|---|---|---|---|
| CVE‑2022‑21817 | NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resources in other security domains, which may lead to code execution, escalation of privileges, and impact to confidentiality and integrity. | 9.3 | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.
Security Update
The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.
To protect your system, open the Omniverse Launcher client which will automatically apply the security update. Alternatively, you can download and install this software update from the Omniverse Downloads page.
| CVE IDs Addressed | Software Product | Operating System | Affected Versions | Updated Version |
|---|---|---|---|---|
| CVE‑2022‑21817 | NVIDIA Omniverse Launcher | Windows and Linux | All versions prior to 1.5.2 | 1.5.2 |
Notes
- Earlier software releases that support this product are also affected. If you are using an earlier release, upgrade to the latest branch release.
Mitigations
None. See Security Update for the version to install.
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
69.5%