CVE-2022-0845 Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.
We have confirmed the issue on Pytorch 1.4.0 and 1.3.0, and it is likely that the issue also occurs in PyTorch 1.2.0.
We have created a pull request to fix this issue. If you would like to help us confirm whether the issue occurs in Pytorch 1.3.0 and 1.4.0, you can clone the repository, run setup.py install , and then run the unit tests.
How to check if Pytorch Lightning plugin is vulnerable?
Setup.py install will install the dependencies.
On the first run of setup.py install , you’ll get an error message like this one:
The issue occurs when you try to install the pytorch-lightning package. Ensure you do not have any other dependencies installed.
How to fix issue?
If you did not install any other dependencies, run pip install --ed pytorch-lightning
How to confirm if issue is fixed?
If you did not install any other dependencies, run pip install --ed pytorch-lightning
SOLUTION:
For Pytorch 1.4.0 and 1.3.0 the issue is fixed in pytorch-lightning 1.6.0.
Pytorch Lightning plugin - Bypass Vulnerabilities
This article is about the Pytorch Lightning plugin.
The Pytorch lightning plugin provides a way for users to write models and train them in batches, as well as options for increasing batch size by turning on add_layer and extract_hidden_tensors .
Timeline
Published on: 03/05/2022 22:15:00 UTC
Last modified on: 03/10/2022 22:00:00 UTC