Описание
Withdrawn Advisory: PyTorch deserialization vulnerability
Withdrawn Advisory
This advisory has been withdrawn because it describes known functionality of PyTorch. This link is maintained to preserve external references.
Original Description
A deserialization vulnerability exists in the Pytorch RPC framework (torch.distributed.rpc) in pytorch/pytorch versions <=2.3.1. The vulnerability arises from the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py. This flaw allows an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object, leading to remote code execution (RCE) on the master node.
Пакеты
torch
<= 2.3.1
Отсутствует
Связанные уязвимости
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
A flaw was found in PyTorch. This vulnerability allows an attacker to execute arbitrary code remotely via a maliciously crafted serialized PythonUDF object.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.