CVE-2023-43654

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Sep 28, 2023
Updated: Oct 31, 2023
CWE ID 918

Summary

CVE-2023-43654 is a vulnerability affecting TorchServe, a tool used for serving and scaling PyTorch models in production. The issue lies in the default configuration of TorchServe, which lacks sufficient input validation, allowing third parties to trigger remote HTTP download requests and write files to the system's disk. This weakness could potentially lead to system compromise and data breaches. Versions 0.1.0 to 0.8.1 are affected, and users can load models from any URL without proper validation. TorchServe urges users to upgrade to version 0.8.2, which includes a pull request warning users about the default value for allowed_urls and addressing this vulnerability. There are currently no known workarounds for this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share