10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
A vulnerability in the PyTorch’s torch.distributed.rpc framework,
specifically in versions prior to 2.2.2, allows for remote code execution
(RCE). The framework, which is used in distributed training scenarios, does
not properly verify the functions being called during RPC (Remote Procedure
Call) operations. This oversight permits attackers to execute arbitrary
commands by leveraging built-in Python functions such as eval during
multi-cpu RPC communication. The vulnerability arises from the lack of
restriction on function calls when a worker node serializes and sends a
PythonUDF (User Defined Function) to the master node, which then
deserializes and executes the function without validation. This flaw can be
exploited to compromise master nodes initiating distributed training,
potentially leading to the theft of sensitive AI-related data.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%