Fluid Attacks Database

Description

PyTorch vulnerable to arbitrary code execution In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. The fix for this issue is available in version 1.13.1. There is a release checker in issue #89855.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	pytorch	=1.12.0-1 \|\| =1.12.0~rc1-1 \|\| =1.12.1-1 \|\| =1.13.1+dfsg-1 \|\| =1.13.1+dfsg-2 \|\| =1.13.1+dfsg-3 \|\| =1.13.1+dfsg-4 \|\| =1.13.1+dfsg-5 \|\| =1.7.1-7 \|\| =1.7.1-7+deb11u1 \|\| =1.8.1-1 \|\| =1.8.1-2 \|\| =1.8.1-3 \|\| =1.8.1-4 \|\| =1.8.1-5 \|\| =2.0.1+dfsg-1 \|\| =2.0.1+dfsg-1~exp1 \|\| =2.0.1+dfsg-2 \|\| =2.0.1+dfsg-4 \|\| =2.0.1+dfsg-5 \|\| =2.1.2+dfsg-1 \|\| =2.1.2+dfsg-2 \|\| =2.1.2+dfsg-4 \|\| =2.12.0+dfsg2-1 \|\| =2.12.0+dfsg2-1~exp1 \|\| =2.12.0+dfsg2-1~exp2 \|\| =2.12.0+dfsg2-2 \|\| =2.12.0+dfsg2-3 \|\| =2.12.0+dfsg2-4 \|\| =2.4.1-1 \|\| =2.4.1-3 \|\| =2.4.1-4 \|\| =2.5.0+dfsg-1 \|\| =2.5.1+dfsg-1 \|\| =2.5.1+dfsg-3 \|\| =2.5.1+dfsg-4 \|\| =2.6.0+dfsg-1 \|\| =2.6.0+dfsg-1~exp1 \|\| =2.6.0+dfsg-2 \|\| =2.6.0+dfsg-3 \|\| =2.6.0+dfsg-4 \|\| =2.6.0+dfsg-5 \|\| =2.6.0+dfsg-7 \|\| =2.6.0+dfsg-8 \|\| =2.6.0+dfsg-9 \|\| =2.6.0~rc9+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp1 \|\| =2.9.0+dfsg-1~exp2 \|\| =2.9.1+dfsg-1~exp1 \|\| =2.9.1+dfsg-1~exp2	-
debian 13	pytorch	>=0 <1.13.1+dfsg-1	1.13.1+dfsg-1
pypi	torch	>=0 <1.13.1	1.13.1
debian 12	pytorch	>=0 <1.13.1+dfsg-1	1.13.1+dfsg-1
debian 14	pytorch	>=0 <1.13.1+dfsg-1	1.13.1+dfsg-1

Aliases

1. CVE-2022-459072. NVD-2022-459073. OSV-DEBIAN-2022-459074. OSV-2022-459075. GCVE-2022-459076. SECURITY-TRACKER-CVE-2022-45907

References

1. https://github.com/pytorch/pytorch/issues/888682. https://github.com/pytorch/pytorch/issues/898553. https://github.com/pytorch/pytorch/pull/891894. https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a35. https://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2022-43015.yaml6. https://github.com/pytorch/pytorch/releases/tag/v1.13.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.