GHSA-47fc-vmwq-366v

Source

https://github.com/advisories/GHSA-47fc-vmwq-366v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-47fc-vmwq-366v/GHSA-47fc-vmwq-366v.json

Aliases

BIT-pytorch-2022-45907
CVE-2022-45907
PYSEC-2022-43015

Published

2022-11-26T03:30:27Z

Modified

2023-12-06T01:02:42.829739Z

Details

In PyTorch before trunk/89695, torch.jit.annotations.parsetypeline can cause arbitrary code execution because eval is used unsafely. The fix for this issue is available in version 1.13.1. There is a release checker in issue #89855.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-45907
https://github.com/pytorch/pytorch/issues/88868
https://github.com/pytorch/pytorch/issues/89855
https://github.com/pytorch/pytorch/pull/89189
https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3
https://github.com/pytorch/pytorch
https://github.com/pytorch/pytorch/releases/tag/v1.13.1

Affected packages

PyPI / torch

Package

Name: torch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.13.1

Affected versions

1.*

1.0.0

1.0.1

1.0.1.post2

1.1.0

1.1.0.post2

1.2.0

1.3.0

1.3.0.post2

1.3.1

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

1.7.1

1.8.0

1.8.1

1.9.0

1.9.1

1.10.0

1.10.1

1.10.2

1.11.0

1.12.0

1.12.1

1.13.0

Database specific

{
    "last_known_affected_version_range": "<= 1.13.0"
}