CVE-2022-0845 Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

CVE-2022-0845 Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

We have confirmed the issue on Pytorch 1.4.0 and 1.3.0, and it is likely that the issue also occurs in PyTorch 1.2.0.

We have created a pull request to fix this issue. If you would like to help us confirm whether the issue occurs in Pytorch 1.3.0 and 1.4.0, you can clone the repository, run setup.py install , and then run the unit tests.

How to check if Pytorch Lightning plugin is vulnerable?

Setup.py install will install the dependencies.
On the first run of setup.py install , you’ll get an error message like this one:
The issue occurs when you try to install the pytorch-lightning package. Ensure you do not have any other dependencies installed.

How to fix issue?

If you did not install any other dependencies, run pip install --ed pytorch-lightning

How to confirm if issue is fixed?

If you did not install any other dependencies, run pip install --ed pytorch-lightning

SOLUTION:

For Pytorch 1.4.0 and 1.3.0 the issue is fixed in pytorch-lightning 1.6.0.

Pytorch Lightning plugin - Bypass Vulnerabilities

This article is about the Pytorch Lightning plugin.

The Pytorch lightning plugin provides a way for users to write models and train them in batches, as well as options for increasing batch size by turning on add_layer and extract_hidden_tensors .

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe