CVE-2022-31604

Name of the Vulnerable Software and Affected Versions NVFLARE versions prior to 2.1.2

Description The issue is related to NVFLARE's PKI implementation module, where CA credentials are transported via pickle without safe deserialization. This may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and impact both Confidentiality and Integrity.

Recommendations For versions prior to 2.1.2, update to version 2.1.2 to resolve the issue. As a temporary workaround, consider replacing pickle serialization with JSON and changing the code accordingly to minimize the risk of exploitation.