CVE-2022-0315

Name of the Vulnerable Software and Affected Versions horovod/horovod versions prior to 0.24.0

Description The issue is related to the use of insecure temporary files in the horovod/horovod GitHub repository. Specifically, the tempfile.mktemp() function is used when Horovod is run in an LSF job with jsrun, which could allow another process to hijack the jsrun rank file and read or manipulate its content. This issue does not affect the use of MPI, Gloo, Spark, or Ray.

Recommendations For versions prior to 0.24.0, update to version 0.24.0 or later to resolve the issue. As a temporary workaround, consider providing binding args in the Settings instance to prevent the creation of the rank file.