CVE-2024-35199

Name of the Vulnerable Software and Affected Versions TorchServe versions prior to 0.11.0

Description The issue arises from the two gRPC ports 7070 and 7071 not being bound to localhost by default, causing them to be bound to all interfaces when TorchServe is launched. Customers using PyTorch inference Deep Learning Containers through Amazon SageMaker and EKS are not affected.

Recommendations For versions prior to 0.11.0, upgrade to TorchServe release 0.11.0 to address this issue. As a temporary workaround, consider configuring the gRPC ports to bind to localhost until the upgrade can be applied. Restrict access to the gRPC ports 7070 and 7071 to minimize the risk of exploitation.