CVE-2022-34668

Name of the Vulnerable Software and Affected Versions NVFLARE versions prior to 2.1.4

Description The issue concerns deserialization of untrusted data due to Pickle usage, which may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and impact both Confidentiality and Integrity.

Recommendations For versions prior to 2.1.4, update to version 2.1.4, which uses MessagePack instead of Pickle for serialization and deserialization. Note that some object serializations supported by Pickle are not supported by MessagePack, so users may need to convert objects to numpy or bytes before sending them to remote machines. Refer to the list of supported object types for more information.