CVE-2022-22821: 
Python vulnerability analysis and mitigation

NVIDIA NeMo before version 1.6.0 contains a vulnerability in ASR WebApp, where a Path Traversal attack using '../' structure may lead to deletion of any directory when admin privileges are available. The vulnerability was discovered on December 16, 2021, and was assigned CVE-2022-22821 (GitHub Advisory).

The vulnerability is classified as CWE-23 (Relative Path Traversal) and affects the optional ASR WebApp tool. The issue stems from insufficient validation of user input in certain interfaces, allowing malicious actors to construct requests that can traverse directories using '../' patterns. The vulnerability only impacts scenarios where the web application is started with superuser permissions. This web app is not included in regular pip releases or containers, affecting only users who clone the entire repository and execute the web app with elevated privileges (GitHub Advisory).

The vulnerability has a relatively low severity with a CVSS score of 2.0 (AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N). When exploited, it could allow attackers to delete arbitrary directories on the system, though this requires both administrative privileges and user interaction (GitHub Advisory).

The vulnerability has been patched in version 1.6.0 via commit f7e4ed7. Users can either upgrade to version 1.6.0 or later, or apply the changes from commit f7e4ed7 to their existing installation. Since the web app is not distributed via pip release or container, users who clone the main branch after this commit will automatically have the patch (GitHub Advisory).