CVE-2025-23260
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-12-15
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | aistore_on_kubernetes | to 2.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the NVIDIA AIStore AIS Operator component on Kubernetes versions prior to 2.3.0. It allows a user to exploit the ServiceAccount attached to a ClusterRole to gain elevated access within the Kubernetes cluster. The issue is due to improper access control (CWE-266), enabling an attacker with low privileges to escalate their access without user interaction, potentially leading to unauthorized information disclosure. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain elevated access to the Kubernetes cluster, resulting in unauthorized disclosure of sensitive information. However, it does not impact data integrity or availability. The attack complexity is low, and it requires only low privileges to exploit. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade NVIDIA AIStore on Kubernetes to version 2.3.0 or later, as this version contains the fix for the AIS Operator privilege escalation issue. This is the recommended immediate step to prevent exploitation. [1]