Headline
GHSA-hhpg-v63p-wp7w: TorchServe gRPC Port Exposure
Impact
The two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
Patches
This issue in TorchServe has been fixed in #3083.
TorchServe release 0.11.0 includes the fix to address this vulnerability.
References
Thank Kroll Cyber Risk for for responsibly disclosing this issue.
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35199
TorchServe gRPC Port Exposure
High severity GitHub Reviewed Published Jul 18, 2024 in pytorch/serve • Updated Jul 18, 2024
Vulnerability details Dependabot alerts 0
Package
pip torchserve (pip)
Affected versions
>= 0.3.0, < 0.11.0
Patched versions
0.11.0
Description
Impact
The two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
Patches
This issue in TorchServe has been fixed in #3083.
TorchServe release 0.11.0 includes the fix to address this vulnerability.
References
- #3083
- TorchServe release v0.11.0
Thank Kroll Cyber Risk for for responsibly disclosing this issue.
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
References
- GHSA-hhpg-v63p-wp7w
- pytorch/serve#3083
- pytorch/serve@aab9950
- https://github.com/pytorch/serve/releases/tag/v0.11.0
namannandan published to pytorch/serve
Jul 18, 2024
Published to the GitHub Advisory Database
Jul 18, 2024
Reviewed
Jul 18, 2024
Last updated
Jul 18, 2024
Severity
High
8.2
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Weaknesses
CWE-1256
CVE ID
CVE-2024-35199
GHSA ID
GHSA-hhpg-v63p-wp7w
Source code
pytorch/serve
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.