CVE-2024-35199: TorchServe gRPC Port Exposure
The two gRPC ports 7070 and 7071, are not bound to localhost by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.
References
- github.com/advisories/GHSA-hhpg-v63p-wp7w
- github.com/pytorch/serve
- github.com/pytorch/serve/commit/aab99506a17193de217aacc1119d9381dbc6ed2b
- github.com/pytorch/serve/pull/3083
- github.com/pytorch/serve/releases/tag/v0.11.0
- github.com/pytorch/serve/security/advisories/GHSA-hhpg-v63p-wp7w
- nvd.nist.gov/vuln/detail/CVE-2024-35199
Detect and mitigate CVE-2024-35199 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →