CVE-2022-22821

Name of the Vulnerable Software and Affected Versions NVIDIA NeMo versions prior to 1.6.0

Description The issue concerns a Relative Path Traversal vulnerability in the ASR WebApp of NVIDIA NeMo. This vulnerability may lead to the deletion of any directory when admin privileges are available, through the use of the "../" structure. The vulnerability affects cases where the ASR Webapp is used with superuser permissions, and it impacts users who clone the repository and execute the web app.

Recommendations For versions prior to 1.6.0, apply the changes from the commit https://github.com/NVIDIA/NeMo/commit/f7e4ed7e4f7f2fa43765a38c2fafa1b6d1ebd7c0 to patch the vulnerability. As a temporary workaround, consider restricting the use of the ASR Webapp or running it without superuser permissions to minimize the risk of exploitation.