CVE-2024-31580

PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/varargfunctions.cpp. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...

PT-2024-5965 · Pytorch +1 · Pytorch +1

Name of the Vulnerable Software and Affected Versions: Pytorch versions prior to v2.2.0 Description: The issue is related to a use-after-free vulnerability in the torch/csrc/jit/mobile/interpreter.cpp component of the PyTorch machine learning framework. This vulnerability can be exploited to...

PyTorch Serve Server-Side Request Forgery

PyTorch Serve version prior to 0.8.2 and versions using a default configuration are vulnerable to a Server-Side Request Forgery allowing an unauthenticated user to write a file to disk, that can lead to an arbitrary code execution. No source data...

BIT-PYTORCH-2022-45907

In PyTorch before trunk/89695, torch.jit.annotations.parsetypeline can cause arbitrary code execution because eval is used unsafely...

New Hugging Face Vulnerability Exposes AI Models to Supply Chain Attacks

Cybersecurity researchers have found that it's possible to compromise the Hugging Face Safetensors conversion service to ultimately hijack the models submitted by users and result in supply chain attacks. "It's possible to send malicious pull requests with attacker-controlled data from the Huggin...

AZL-34464 CVE-2024-27318 affecting package pytorch for versions less than 2.0.0-6

Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the externaldata field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch adde...

AZL-35146 CVE-2024-27318 affecting package pytorch for versions less than 2.2.2-1

Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the externaldata field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch adde...

AZL-34465 CVE-2024-27319 affecting package pytorch for versions less than 2.0.0-4

Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNXASSERT and ONNXASSERTM functions have an off by one string copy...

AZL-35148 CVE-2024-27319 affecting package pytorch for versions less than 2.2.2-1

Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNXASSERT and ONNXASSERTM functions have an off by one string copy...

GHSA-3F63-HFP8-52JQ vulnerabilities

Vulnerabilities for packages: py3-seaborn, kubeflow-pipelines-visualization-server, py3-pillow...

GHSA-3F63-HFP8-52JQ vulnerabilities

Vulnerabilities for packages: py3-pillow, py3-seaborn, kubeflow-pipelines-visualization-server...

CVE-2023-50447 vulnerabilities

Vulnerabilities for packages: py3-seaborn, kubeflow-pipelines-visualization-server, py3-pillow...

CVE-2023-50447 vulnerabilities

Vulnerabilities for packages: py3-pillow, py3-seaborn, kubeflow-pipelines-visualization-server...

GHSA-H5C8-RQWP-CP95 vulnerabilities

Vulnerabilities for packages: reflex, py3-jinja2, kubeflow-pipelines-visualization-server, checkov...

CVE-2024-22195 vulnerabilities

Vulnerabilities for packages: reflex, py3-jinja2, kubeflow-pipelines-visualization-server, checkov...

CVE-2024-22195 vulnerabilities

Vulnerabilities for packages: checkov, reflex, kubeflow-pipelines-visualization-server, py3-jinja2...

Security Bulletin: PyTorch vulnerability affects IBM Watson Machine Learning in Cloud Pak for Data [CVE-2022-45907]

Summary PyTorch vulnerability affects IBM Watson Machine Learning in Cloud Pak for Data. The vulnerabilty is addressed below. Vulnerability Details CVEID:CVE-2022-45907 DESCRIPTION: PyTorch could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the...

a2 (>=0.1.0 <=0.3.17), abnativ (>=1.1.0 <=1.2.9) +337 more potentially affected by CVE-2023-6709 via mlflow (>=0.8.2 <=2.9.1)

mlflow PYPI version =0.8.2, =0.1.0, =1.1.0, =0.0.5, =0.1.0, =0.1.0, =1.7.0, =1.7.0, =1.8.0, =1.7.0, =1.7.0, =0.1.1, =0.1.5 - anovos =1.1.0 - apache-submarine =0.6.0 and more Source cves: CVE-2023-6709 Source advisory: OSV:PYSEC-2023-281...

a2 (>=0.1.0 <=0.3.17), abnativ (>=1.1.0 <=1.2.9) +337 more potentially affected by CVE-2023-43472 via mlflow (>=0.8.2 <=2.8.1)

mlflow PYPI version =0.8.2, =0.1.0, =1.1.0, =0.0.5, =0.1.0, =0.1.0, =1.7.0, =1.7.0, =1.8.0, =1.7.0, =1.7.0, =0.1.1, =0.1.5 - anovos =1.1.0 - apache-submarine =0.6.0 and more Source cves: CVE-2023-43472 Source advisory: OSV:GHSA-WQXF-447M-6F5F...

Code injection

TorchServe is a tool for serving and scaling PyTorch models in production. Starting in version 0.1.0 and prior to version 0.9.0, using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the...