8.2

CVE-2024-35199

EPSS 0.09%
Veröffentlicht 19.07.2024 02:15:14
Zuletzt bearbeitet 04.09.2025 15:46:54
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pytorch ≫ Torchserve Version >= 0.3.0 < 0.11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.267

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/pytorch/serve/releases/tag/v0.11.0

Release Notes

https://github.com/pytorch/serve/pull/3083

Patch

https://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-35199

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-35199

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-35199

EUVD