CVE-2022-0315: Use of insecure temporary file in Horovod
(updated )
The insecure tempfile.mktemp() is used when Horovod is run in an LSF job with jsrun. In that situation, a jsrun rank file is created with mktemp, which could be hijacked by another process to read or manipulate the content.
This issue does not impact the use of MPI, Gloo, Spark or Ray.
References
- github.com/advisories/GHSA-47wv-vhj2-g66m
- github.com/horovod/horovod
- github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41
- github.com/horovod/horovod/pull/3358
- github.com/horovod/horovod/security/advisories/GHSA-47wv-vhj2-g66m
- github.com/pypa/advisory-database/tree/main/vulns/horovod/PYSEC-2022-175.yaml
- huntr.dev/bounties/7e50397b-dd63-4bb5-b56d-704094a7da45
- nvd.nist.gov/vuln/detail/CVE-2022-0315
Detect and mitigate CVE-2022-0315 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →