CVE-2024-35199
published 2024-07-19CVE-2024-35199: TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are…
PriorityP345high8.2CVSS 3.1
AVNACLPRNUINSUCLINAH
EPSS
0.63%
45.7th percentile
TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pytorch | serve | — | — |
| pytorch | torchserve | >= 0.3.0 < 0.11.0 | 0.11.0 |
| pytorch | torchserve | >= 0.3.0 < 0.11.0 | 0.11.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
TorchServe gRPC Port Exposure
ghsa·2024-07-18
CVE-2024-35199 [HIGH] CWE-1256 TorchServe gRPC Port Exposure
TorchServe gRPC Port Exposure
### Impact
The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
### Patches
This issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083).
TorchServe release 0.11.0 includes the fix to address this vulnerability.
### References
* [#3083](https://github.com/pytorch/serve/pull/3083)
* [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)
Thank Kroll Cyber Risk for for responsibly disclosing this issue.
If you have any questions or comments about this advisory,
OSV
TorchServe gRPC Port Exposure
osv·2024-07-18
CVE-2024-35199 [HIGH] TorchServe gRPC Port Exposure
TorchServe gRPC Port Exposure
### Impact
The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
### Patches
This issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083).
TorchServe release 0.11.0 includes the fix to address this vulnerability.
### References
* [#3083](https://github.com/pytorch/serve/pull/3083)
* [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)
Thank Kroll Cyber Risk for for responsibly disclosing this issue.
If you have any questions or comments about this advisory,
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pytorch/serve/pull/3083https://github.com/pytorch/serve/releases/tag/v0.11.0https://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7whttps://github.com/pytorch/serve/pull/3083https://github.com/pytorch/serve/releases/tag/v0.11.0https://github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w
2024-07-19
Published