CVE-2024-35199
HIGH8.2EPSS 0.07%TorchServe gRPC Port Exposure
描述
### Impact The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. ### Patches This issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083). TorchServe release 0.11.0 includes the fix to address this vulnerability. ### References * [#3083](https://github.com/pytorch/serve/pull/3083) * [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0) Thank Kroll Cyber Risk for for responsibly disclosing this issue. If you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
受影響套件(1)
- PyPI/torchserve>= 0.3.0, < 0.11.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-35199
- PATCHhttps://github.com/pytorch/serve
- WEBhttps://github.com/pytorch/serve/commit/aab99506a17193de217aacc1119d9381dbc6ed2b
- WEBhttps://github.com/pytorch/serve/pull/3083
- WEBhttps://github.com/pytorch/serve/releases/tag/v0.11.0
- WEBhttps://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w