U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-5480

Change History

CVE Translated by huntr.dev 10/02/2024 12:15:10 PM

Action Type Old Value New Value
Removed Translation 
Title: PyTorch
Description: Una vulnerabilidad en el framework torch.distributed.rpc de PyTorch, específicamente en versiones anteriores a la 2.2.2, permite la ejecución remota de código (RCE). El framework, que se utiliza en escenarios de capacitación distribuida, no verifica adecuadamente las funciones que se llaman durante las operaciones RPC (llamada a procedimiento remoto). Esta supervisión permite a los atacantes ejecutar comandos arbitrarios aprovechando las funciones integradas de Python, como la evaluación, durante la comunicación RPC entre múltiples CPU. La vulnerabilidad surge de la falta de restricción en las llamadas a funciones cuando un nodo trabajador serializa y envía una PythonUDF (función definida por el usuario) al nodo maestro, que luego deserializa y ejecuta la función sin validación. Esta falla puede explotarse para comprometer los nodos maestros que inician el entrenamiento distribuido, lo que podría conducir al robo de datos confidenciales relacionados con la IA.
 

								
								
					

				
			




		

	
		

			 
			

				CVE Modified by huntr.dev 10/02/2024 12:15:10 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					

						Removed
						CVSS V3
						
							
							
								
							
								
huntr.dev AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						CWE
						
							
							
								
							
								
huntr.dev CWE-77

								
							
							
								
							
						
								
							
								

								
								
					

					

						Changed
						Description
						
							
							
								
							
								
A vulnerability in the PyTorch's torch.distributed.rpc framework, specifically in versions prior to 2.2.2, allows for remote code execution (RCE). The framework, which is used in distributed training scenarios, does not properly verify the functions being called during RPC (Remote Procedure Call) operations. This oversight permits attackers to execute arbitrary commands by leveraging built-in Python functions such as eval during multi-cpu RPC communication. The vulnerability arises from the lack of restriction on function calls when a worker node serializes and sends a PythonUDF (User Defined Function) to the master node, which then deserializes and executes the function without validation. This flaw can be exploited to compromise master nodes initiating distributed training, potentially leading to the theft of sensitive AI-related data.

								
							
							
								
							
						
								
							
								
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
huntr.dev https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3

								
							
							
								
							
						
								
							
								

								
								
					

				
			




		

	
		

			 
			

				CVE Rejected by huntr.dev 10/02/2024 12:15:10 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value