CVE-2024-6577 – torchserve

Package

Manager: pip
Name: torchserve
Vulnerable Version: >=0 <=0.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00057 pctl0.17803

Details

TorchServe script references S3 bucket without ensuring ownership or confirming accessibility In the latest version of pytorch/serve, the script 'upload_results_to_s3.sh' references the S3 bucket 'benchmarkai-metrics-prod' without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unauthorized access to the bucket if it is not properly secured or claimed by the appropriate entity. The issue may result in data breaches, exposure of proprietary information, or unauthorized modifications to stored data.

Metadata

Created: 2025-03-20T12:32:45Z
Modified: 2025-03-21T22:07:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-xx7c-j7h3-vjcq/GHSA-xx7c-j7h3-vjcq.json
CWE IDs: []
Alternative ID: GHSA-xx7c-j7h3-vjcq
Finding: F039
Auto approve: 1