We use cookies to improve your experience on our site.
AVID-2026-R1588
Description
Unclaimed S3 Bucket Usage in pytorch/serve (CVE-2024-6577)
Details
In the latest version of pytorch/serve, the script ‘upload_results_to_s3.sh’ references the S3 bucket ‘benchmarkai-metrics-prod’ without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unauthorized access to the bucket if it is not properly secured or claimed by the appropriate entity. The issue may result in data breaches, exposure of proprietary information, or unauthorized modifications to stored data.
Reason for inclusion in AVID: CVE-2024-6577 describes a vulnerability in PyTorch Serve where a script writes to an S3 bucket without ownership/authorization checks, enabling potential data exposure or modification. This directly affects the AI serving stack used to deploy and run general-purpose AI systems, constituting a software supply-chain issue within AI pipelines (model serving/data workflows). It is a CVE-style security concern with clear impact signals appropriate for AVID curation.
References
Affected or Relevant Artifacts
- Developer: pytorch
- Deployer: pytorch
- Artifact Details:
| Type | Name |
|---|---|
| System | pytorch/serve |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| Base Score | 6.3 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🟢 Low |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-840 | CWE-840 Business Logic Errors |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry