Skip to content

Commit d2e58d5

Browse files
junpufjunpuf
committed
more allowlist
1 parent 5447ad0 commit d2e58d5

File tree

2 files changed

+60
-2
lines changed

2 files changed

+60
-2
lines changed

pytorch/training/docker/2.4/py3/Dockerfile.sagemaker.cpu.os_scan_allowlist.json

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,36 @@
5757
"status": "ACTIVE",
5858
"title": "CVE-2025-32434 - torch",
5959
"reason_to_ignore": "N/A"
60-
}
60+
},
61+
{
62+
"description": "In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.",
63+
"vulnerability_id": "CVE-2024-48063",
64+
"name": "CVE-2024-48063",
65+
"package_name": "torch",
66+
"package_details": {
67+
"file_path": "/opt/conda/lib/python3.11/site-packages/torch-2.4.0+cu124.dist-info/METADATA",
68+
"name": "torch",
69+
"package_manager": "PYTHON",
70+
"version": "2.4.0+cu124",
71+
"release": null
72+
},
73+
"remediation": {
74+
"recommendation": {
75+
"text": "None Provided"
76+
}
77+
},
78+
"cvss_v3_score": 9.8,
79+
"cvss_v30_score": 0.0,
80+
"cvss_v31_score": 9.8,
81+
"cvss_v2_score": 0.0,
82+
"cvss_v3_severity": "CRITICAL",
83+
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48063",
84+
"source": "NVD",
85+
"severity": "CRITICAL",
86+
"status": "ACTIVE",
87+
"title": "CVE-2024-48063 - torch",
88+
"reason_to_ignore": "this container is specifically pytorch 2.4.x so we cant upgrade to later minor versions"
89+
},
6190
],
6291
"libxml2": [
6392
{

pytorch/training/docker/2.4/py3/cu124/Dockerfile.sagemaker.gpu.os_scan_allowlist.json

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -904,7 +904,36 @@
904904
"status": "ACTIVE",
905905
"title": "CVE-2025-32434 - torch",
906906
"reason_to_ignore": "N/A"
907-
}
907+
},
908+
{
909+
"description": "In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.",
910+
"vulnerability_id": "CVE-2024-48063",
911+
"name": "CVE-2024-48063",
912+
"package_name": "torch",
913+
"package_details": {
914+
"file_path": "/opt/conda/lib/python3.11/site-packages/torch-2.4.0+cu124.dist-info/METADATA",
915+
"name": "torch",
916+
"package_manager": "PYTHON",
917+
"version": "2.4.0+cu124",
918+
"release": null
919+
},
920+
"remediation": {
921+
"recommendation": {
922+
"text": "None Provided"
923+
}
924+
},
925+
"cvss_v3_score": 9.8,
926+
"cvss_v30_score": 0.0,
927+
"cvss_v31_score": 9.8,
928+
"cvss_v2_score": 0.0,
929+
"cvss_v3_severity": "CRITICAL",
930+
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48063",
931+
"source": "NVD",
932+
"severity": "CRITICAL",
933+
"status": "ACTIVE",
934+
"title": "CVE-2024-48063 - torch",
935+
"reason_to_ignore": "this container is specifically pytorch 2.4.x so we cant upgrade to later minor versions"
936+
},
908937
],
909938
"libxml2": [
910939
{

0 commit comments

Comments
 (0)