CVE-2022-34668: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-34668) was discovered in NVFLARE affecting versions prior to 2.1.4. The vulnerability stems from unsafe deserialization of untrusted data due to Pickle usage, which could allow an unprivileged network attacker to execute remote code (NVIDIA GitHub).

The vulnerability is related to the deserialization of untrusted data through Python's Pickle module. It received a CVSS score of 9.8 (Critical) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical nature of the vulnerability allows attackers to exploit the deserialization process to execute arbitrary code during the deserialization of untrusted data (NVIDIA GitHub).

The vulnerability can lead to Remote Code Execution (RCE), Denial of Service (DoS), and impacts both the confidentiality and integrity of the affected systems. As an unprivileged network attacker can exploit this vulnerability, the potential impact is considered severe (NVIDIA GitHub).

The vulnerability was patched in NVFLARE version 2.1.4, which replaced Pickle with MessagePack for serialization and deserialization. No workarounds are available for earlier versions, making it crucial to upgrade to version 2.1.4 or later. The new version provides out-of-box support for built-in NVFLARE objects, though some object serializations previously supported by Pickle may require conversion to numpy or bytes before transmission (NVIDIA GitHub).