Issue with PyTorch TorchServe - CVE-2024-35198, CVE-2024-35199

AWS acknowledges vulnerabilities (CVE-2024-35198 and CVE-2024-35199) in PyTorch TorchServe versions 0.3.0 to 0.10.0. CVE-2024-35198 allows model downloads with malicious URLs, while CVE-2024-35199 involves insecure gRPC port binding. Customers using PyTorch inference Deep Learning Containers (DLCs) through Amazon SageMaker or EKS are not affected. TorchServe version 0.11.0 resolves these issues. Customers can upgrade to the latest version of TorchServe or pull DLCs with the patched version using the provided image tags. The vulnerabilities are addressed in PyTorch 2.2, 2.1, and 1.13 DLCs. AWS acknowledges Kroll Cyber Risk's collaboration in vulnerability disclosure. Questions or comments can be directed to AWS/Amazon Security through the vulnerability reporting page or via email. Public GitHub issues should not be created for this advisory.