torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl: 4 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /embedding/requirements.txt

Path to vulnerable library: /embedding/requirements.txt

Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (torch version)	Remediation Possible**
CVE-2024-31584	High	7.5	torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl	Direct	2.2.0	❌
CVE-2024-31583	High	7.5	torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl	Direct	2.2.0	❌
CVE-2024-31580	High	7.5	torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl	Direct	2.2.0	❌
CVE-2024-5480	Medium	6.4	torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl	Direct	N/A	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-31584

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /embedding/requirements.txt

Path to vulnerable library: /embedding/requirements.txt

Dependency Hierarchy:

• ❌ torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f

Found in base branch: main

Vulnerability Details

Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.

Publish Date: 2024-04-19

URL: CVE-2024-31584

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31584

Release Date: 2024-04-19

Fix Resolution: 2.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-31583

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /embedding/requirements.txt

Path to vulnerable library: /embedding/requirements.txt

Dependency Hierarchy:

• ❌ torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f

Found in base branch: main

Vulnerability Details

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

Publish Date: 2024-04-17

URL: CVE-2024-31583

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31583

Release Date: 2024-04-17

Fix Resolution: 2.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-31580

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /embedding/requirements.txt

Path to vulnerable library: /embedding/requirements.txt

Dependency Hierarchy:

• ❌ torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f

Found in base branch: main

Vulnerability Details

PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Publish Date: 2024-04-17

URL: CVE-2024-31580

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-31580

Release Date: 2024-04-17

Fix Resolution: 2.2.0

Step up your Open Source Security Game with Mend here

CVE-2024-5480

Vulnerable Library - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Tensors and Dynamic neural networks in Python with strong GPU acceleration

Library home page: https://files.pythonhosted.org/packages/00/86/77a9eddbf46f1bca2468d16a401911f58917f95b63402d6a7a4522521e5d/torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /embedding/requirements.txt

Path to vulnerable library: /embedding/requirements.txt

Dependency Hierarchy:

• ❌ torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f

Found in base branch: main

Vulnerability Details

A vulnerability in the PyTorch's torch.distributed.rpc framework, specifically in versions prior to 2.2.2, allows for remote code execution (RCE). The framework, which is used in distributed training scenarios, does not properly verify the functions being called during RPC (Remote Procedure Call) operations. This oversight permits attackers to execute arbitrary commands by leveraging built-in Python functions such as eval during multi-cpu RPC communication. The vulnerability arises from the lack of restriction on function calls when a worker node serializes and sends a PythonUDF (User Defined Function) to the master node, which then deserializes and executes the function without validation. This flaw can be exploited to compromise master nodes initiating distributed training, potentially leading to the theft of sensitive AI-related data.

Publish Date: 2024-06-06

URL: CVE-2024-5480

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here