CVE-2024-6577
MEDIUMtorchserve - Unauthenticated S3 Bucket Access via upload_results_to_s3.sh
Title source: llmDescription
In the latest version of pytorch/serve, the script 'upload_results_to_s3.sh' references the S3 bucket 'benchmarkai-metrics-prod' without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unauthorized access to the bucket if it is not properly secured or claimed by the appropriate entity. The issue may result in data breaches, exposure of proprietary information, or unauthorized modifications to stored data.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/20917570-8328-428f-bd1d-4fcd71fb2359
Scores
CVSS v3
6.3
EPSS
0.0016
EPSS Percentile
37.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-840
Status
published
Products (2)
pypi/torchserve
0PyPI
pytorch/pytorch/serve
unspecified - latest
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026