CVE-2024-35199 – torchserve

Package

Manager: pip
Name: torchserve
Vulnerable Version: >=0.3.0 <0.11.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00043 pctl0.12486

Details

TorchServe gRPC Port Exposure ### Impact The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. ### Patches This issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083). TorchServe release 0.11.0 includes the fix to address this vulnerability. ### References * [#3083](https://github.com/pytorch/serve/pull/3083) * [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0) Thank Kroll Cyber Risk for for responsibly disclosing this issue. If you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Metadata

Created: 2024-07-18T22:06:41Z
Modified: 2024-08-07T16:06:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-hhpg-v63p-wp7w/GHSA-hhpg-v63p-wp7w.json
CWE IDs: ["CWE-1256", "CWE-668"]
Alternative ID: GHSA-hhpg-v63p-wp7w
Finding: F017
Auto approve: 1