Multiple Critical Vulnerabilities in Python TorchServe Library

Python has released a security update for CVE-2022-1471 and workaround measures for CVE-2023-43654 in their TorchServe Library, an Artificial Intelligence model serving tool. Both vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The critical vulnerabilities are:

• CVE-2023-43654: Successful exploitation of the server-side request forgery vulnerability could allow remote attackers to perform remote code execution.

• CVE-2022-1471: Successful exploitation of the deseralisation vulnerability could allow remote attackers to perform remote code execution.

The vulnerabilities and the corresponding affected components are:

• CVE-2022-1471: SnakeYAML versions before 2.0

• CVE-2023-43654: TorchServe versions 0.10 to 8.1

Users and administrators of the affected product versions are advised to upgrade to the latest product versions immediately. As the update does not resolve CVE-2023-43654, users and administrators are advised to configure their management console correctly and ensure that their server is only able to fetch models from trusted domains.

More information is available here:

https://www.cvedetails.com/cve/CVE-2023-43654/?q=CVE-2023-43654

https://www.cvedetails.com/cve/CVE-2022-1471/?q=CVE-2022-1471

https://nvd.nist.gov/vuln/detail/CVE-2023-43654

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

https://www.bleepingcomputer.com/news/security/shelltorch-flaws-expose-ai-servers-to-code-execution-attacks/

https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654