Torchserve
CVE-2024-35199
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.
Technical ContextAI
This vulnerability is classified as Exposure of Resource to Wrong Sphere (CWE-668), which allows attackers to access resources from an unintended security context. TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Pytorch Torchserve.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement proper access controls, validate resource access permissions, use security boundaries.
More in Torchserve
View allTorchServe is a tool for serving and scaling PyTorch models in production. Rated critical severity (CVSS 9.8), this vuln
TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. Rated critical sever
TorchServe is a tool for serving and scaling PyTorch models in production. Rated medium severity (CVSS 5.3), this vulner
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today