GHSA-xx7c-j7h3-vjcq

Source

https://github.com/advisories/GHSA-xx7c-j7h3-vjcq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-xx7c-j7h3-vjcq/GHSA-xx7c-j7h3-vjcq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xx7c-j7h3-vjcq

Aliases

CVE-2024-6577

Published

2025-03-20T12:32:45Z

Modified

2025-03-21T22:25:52.721186Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

TorchServe script references S3 bucket without ensuring ownership or confirming accessibility

Details

In the latest version of pytorch/serve, the script 'uploadresultsto_s3.sh' references the S3 bucket 'benchmarkai-metrics-prod' without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unauthorized access to the bucket if it is not properly secured or claimed by the appropriate entity. The issue may result in data breaches, exposure of proprietary information, or unauthorized modifications to stored data.

Database specific

{
    "github_reviewed_at": "2025-03-21T22:07:23Z",
    "severity": "MODERATE",
    "cwe_ids": [],
    "github_reviewed": true,
    "nvd_published_at": "2025-03-20T10:15:32Z"
}

References

Affected packages

PyPI / torchserve

Package

Name: torchserve; View open source insights on deps.dev
Purl: pkg:pypi/torchserve

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.11.0

Affected versions

0.*

0.0.1b20200409

0.1.1

0.2.0

0.2.2

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.5.2

0.5.3

0.6.0

0.6.1

0.7.0

0.7.1

0.8.0

0.8.1

0.8.2

0.9.0

0.10.0

0.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-xx7c-j7h3-vjcq/GHSA-xx7c-j7h3-vjcq.json"