TorchServe Management API Publicly Exposed

Severity: High

Summary#

Invicti identified the TorchServe Management API is publicly exposed in the target web server. TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In the default configuration, TorchServe Management API is designed to be accessed inside trusted environments. It's not recommended to have TorchServe Management API publicly accessible.

Impact#

This vulnerability allows unauthenticated attackers to expose sensitive information or use API to conduct further attacks.

Remediation#

It's recommended to restrict access to this service on production systems

Classifications#

CWE-200, OWASP 2017-A6, ISO27001-A.18.1.3, PCI v3.2-6.5.8, CAPEC-212, HIPAA-164.312(a)(1), WASC-14, OWASP 2013-A5

TorchServe Management API Publicly Exposed

Related Articles

Build your resistance to threats. And save hundreds of hours each month.