CVE-2024-0129: 
NixOS vulnerability analysis and mitigation

CVE-2024-0129 is a security vulnerability discovered in NVIDIA NeMo's SaveRestoreConnector component, which was disclosed on October 15, 2024. The vulnerability affects all versions of NeMo prior to r2.0.0rc0 across Windows, Linux, and MacOS operating systems. The issue involves a path traversal vulnerability that can be exploited through unsafe .tar file extraction (NVIDIA Advisory, NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'). It received a CVSS v3.1 base score of 6.3 (Medium) from NVIDIA with a vector string of AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, while NIST assigned a higher severity score of 7.8 (High) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVIDIA Advisory, NVD).

A successful exploitation of this vulnerability can lead to code execution and data tampering on affected systems. The vulnerability affects NeMo, which is used for developing custom generative AI including large language models, multimodal, vision, and speech AI applications (SecurityWeek, NVIDIA Advisory).

NVIDIA has released a patch to address this vulnerability. Users are strongly advised to upgrade to NeMo version r2.0.0rc0 or later. The update is available for download from the Releases tab on the NeMo Github page (NVIDIA Advisory).

The vulnerability was discovered and reported by Ryan Tracey from HiddenLayer. The security community has noted this as a significant finding given NeMo's role in generative AI development and its potential impact on enterprise systems (SecurityWeek).