CVE-2024-35199

2024-07-1902:15:14

CWE-668

GitHub_M

web.nvd.nist.gov

torchserve

pytorch models

grpc

amazon sagemaker

eks

vulnerability

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

AI Score

4.7

Confidence

High

EPSS

Percentile

16.0%

JSON

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Vulnrichment

Node

pytorchserveRange0.3.0–0.11.0

VendorProductVersionCPE
pytorchserve*cpe:2.3:a:pytorch:serve:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pytorch	serve	*	cpe:2.3:a:pytorch:serve::::::::

CNA Affected

[
  {
    "vendor": "pytorch",
    "product": "serve",
    "versions": [
      {
        "version": ">= 0.3.0, < 0.11.0",
        "status": "affected"
      }
    ]
  }
]