U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-5480

Change History

CVE Modified by huntr.dev 10/02/2024 12:15:10 PM

Action Type Old Value New Value
Removed CVSS V3
huntr.dev AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

								
						
Removed CWE
huntr.dev CWE-77

								
						
Changed Description
A vulnerability in the PyTorch's torch.distributed.rpc framework, specifically in versions prior to 2.2.2, allows for remote code execution (RCE). The framework, which is used in distributed training scenarios, does not properly verify the functions being called during RPC (Remote Procedure Call) operations. This oversight permits attackers to execute arbitrary commands by leveraging built-in Python functions such as eval during multi-cpu RPC communication. The vulnerability arises from the lack of restriction on function calls when a worker node serializes and sends a PythonUDF (User Defined Function) to the master node, which then deserializes and executes the function without validation. This flaw can be exploited to compromise master nodes initiating distributed training, potentially leading to the theft of sensitive AI-related data.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Removed Reference
huntr.dev https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3

								
						

CVE Rejected by huntr.dev 10/02/2024 12:15:10 PM

Action Type Old Value New Value

CVE Translated by huntr.dev 10/02/2024 12:15:10 PM

Action Type Old Value New Value
Removed Translation
Title: PyTorch
Description: Una vulnerabilidad en el framework torch.distributed.rpc de PyTorch, específicamente en versiones anteriores a la 2.2.2, permite la ejecución remota de código (RCE). El framework, que se utiliza en escenarios de capacitación distribuida, no verifica adecuadamente las funciones que se llaman durante las operaciones RPC (llamada a procedimiento remoto). Esta supervisión permite a los atacantes ejecutar comandos arbitrarios aprovechando las funciones integradas de Python, como la evaluación, durante la comunicación RPC entre múltiples CPU. La vulnerabilidad surge de la falta de restricción en las llamadas a funciones cuando un nodo trabajador serializa y envía una PythonUDF (función definida por el usuario) al nodo maestro, que luego deserializa y ejecuta la función sin validación. Esta falla puede explotarse para comprometer los nodos maestros que inician el entrenamiento distribuido, lo que podría conducir al robo de datos confidenciales relacionados con la IA.