8.2 CVE-2024-35199

Enriched by CISA Patch
 

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2024-35199

Categories

CWE-668 : Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
pytorch serve
  • >= 0.3.0, < 0.11.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:a:pytorch:torchserve:*:*:*:*:*:*:*:* >= 0.3.0 < 0.11.0

REMEDIATION

Patch

Url
https://github.com/pytorch/serve/pull/3083
https://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w
https://github.com/pytorch/serve/pull/3083
https://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry