Hi! I have recently pulled the official Pytorch docker image and analysed it with Trivy (a security and vulnerability scanner). The result shows several vulnerabilities:
$ trivy image --vuln-type library pytorch/pytorch:2.0.1-cuda11.7-cudnn8-runtime
Python (python-pkg)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
┌─────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ mpmath (PKG-INFO) │ CVE-2021-29063 │ HIGH │ 1.2.1 │ │ A Regular Expression Denial of Service (ReDOS) vulnerability │
│ │ │ │ │ │ was disco ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-29063 │
├─────────────────────┤ │ ├───────────────────┼───────────────┤ │
│ mpmath (METADATA) │ │ │ 1.3.0 │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ requests (METADATA) │ CVE-2023-32681 │ MEDIUM │ 2.28.1 │ 2.31.0 │ Unintended leak of Proxy-Authorization header │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-32681 │
│ │ │ ├───────────────────┤ │ │
│ │ │ │ 2.29.0 │ │ │
│ │ │ │ │ │ │
└─────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them?
Thanks in advance!