add allowlist

junpuf · junpuf · commit 5447ad05e674 · 2025-07-22T16:35:39.000Z
diff --git a/pytorch/training/docker/2.4/py3/Dockerfile.ec2.cpu.os_scan_allowlist.json b/pytorch/training/docker/2.4/py3/Dockerfile.ec2.cpu.os_scan_allowlist.json
@@ -27,7 +27,7 @@
       "severity": "CRITICAL",
       "status": "ACTIVE",
       "title": "CVE-2025-32434 - torch",
-      "reason_to_ignore": "this container is specifically pytorch 2.5.x so we can’t upgrade to 2.6"
+      "reason_to_ignore": "this container is specifically pytorch 2.4.x so we cant upgrade to later minor versions"
     },
     {
       "description": "PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.",
@@ -57,7 +57,36 @@
       "status": "ACTIVE",
       "title": "CVE-2025-32434 - torch",
       "reason_to_ignore": "N/A"
-    }
+    },
+    {
+      "description": "In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.",
+      "vulnerability_id": "CVE-2024-48063",
+      "name": "CVE-2024-48063",
+      "package_name": "torch",
+      "package_details": {
+        "file_path": "/opt/conda/lib/python3.11/site-packages/torch-2.4.0+cu124.dist-info/METADATA",
+        "name": "torch",
+        "package_manager": "PYTHON",
+        "version": "2.4.0+cu124",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 9.8,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 9.8,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "CRITICAL",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48063",
+      "source": "NVD",
+      "severity": "CRITICAL",
+      "status": "ACTIVE",
+      "title": "CVE-2024-48063 - torch",
+      "reason_to_ignore": "this container is specifically pytorch 2.4.x so we cant upgrade to later minor versions"
+    },
   ],
   "jupyter_core": [
     {
diff --git a/pytorch/training/docker/2.4/py3/cu124/Dockerfile.ec2.gpu.os_scan_allowlist.json b/pytorch/training/docker/2.4/py3/cu124/Dockerfile.ec2.gpu.os_scan_allowlist.json
@@ -906,7 +906,36 @@
       "status": "ACTIVE",
       "title": "CVE-2025-32434 - torch",
       "reason_to_ignore": "N/A"
-    }
+    },
+    {
+      "description": "In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.",
+      "vulnerability_id": "CVE-2024-48063",
+      "name": "CVE-2024-48063",
+      "package_name": "torch",
+      "package_details": {
+        "file_path": "/opt/conda/lib/python3.11/site-packages/torch-2.4.0+cu124.dist-info/METADATA",
+        "name": "torch",
+        "package_manager": "PYTHON",
+        "version": "2.4.0+cu124",
+        "release": null
+      },
+      "remediation": {
+        "recommendation": {
+          "text": "None Provided"
+        }
+      },
+      "cvss_v3_score": 9.8,
+      "cvss_v30_score": 0.0,
+      "cvss_v31_score": 9.8,
+      "cvss_v2_score": 0.0,
+      "cvss_v3_severity": "CRITICAL",
+      "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48063",
+      "source": "NVD",
+      "severity": "CRITICAL",
+      "status": "ACTIVE",
+      "title": "CVE-2024-48063 - torch",
+      "reason_to_ignore": "this container is specifically pytorch 2.4.x so we cant upgrade to later minor versions"
+    },
   ],
     "jupyter_core": [
     {
