{"api_version":"1","generated_at":"2026-04-23T01:00:00+00:00","cve":"CVE-2023-25508","urls":{"html":"https://cve.report/CVE-2023-25508","api":"https://cve.report/api/cve/CVE-2023-25508.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-25508","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-25508"},"summary":{"title":"CVE-2023-25508","description":"NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler, where an attacker with the appropriate level of authorization can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.","state":"PUBLIC","assigner":"psirt@nvidia.com","published_at":"2023-04-22 03:15:00","updated_at":"2023-04-29 03:05:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5458","name":"https://nvidia.custhelp.com/app/answers/detail/a_id/5458","refsource":"MISC","tags":[],"title":"Security Bulletin: NVIDIA DGX-1 - April 2023 | NVIDIA","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25508","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25508","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"25508","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"nvidia","cpe5":"bmc","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"25508","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"nvidia","cpe5":"dgx-1","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-25508","ASSIGNER":"psirt@nvidia.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler, where an attacker with the appropriate level of authorization can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","cweId":"CWE-22"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"NVIDIA","product":{"product_data":[{"product_name":"NVIDIA DGX servers","version":{"version_data":[{"version_affected":"=","version_value":"All BMC versions prior to 3.39.3"}]}}]}}]}},"references":{"reference_data":[{"url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5458","refsource":"MISC","name":"https://nvidia.custhelp.com/app/answers/detail/a_id/5458"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":6.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-04-22 03:15:00","lastModifiedDate":"2023-04-29 03:05:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:nvidia:bmc:*:*:*:*:*:*:*:*","versionEndExcluding":"3.39.30","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:nvidia:dgx-1:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":null,"notes":[]}}}