PyPi: Kserve

CVE-2021-45046

Transitive

Safety vulnerability ID: 49420

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 14, 2021 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Kserve 0.9.0rc0 updates its dependency 'ray' to v1.9.2 to include security fixes.

Affected package

kserve

Latest version: 0.14.0

KServe Python SDK

Affected versions

Fixed versions

Vulnerability changelog

:rainbow: What's New?

Core Inference
* Add mlflow support by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2034
* Add autoscaling target and metric to isvc components by andyi2it in https://github.com/kserve/kserve/pull/2082
* Add ingress class name configuration by pradithya in https://github.com/kserve/kserve/pull/2049
* Add template for generating inference service domain by pradithya in https://github.com/kserve/kserve/pull/2054
* Add Model Status API to isvc by pvaneck in https://github.com/kserve/kserve/pull/2084
* Add logic to update ModelStatus by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2088
* Allow InferenceService url scheme to be configurable by markwinter in https://github.com/kserve/kserve/pull/2202

Advanced Inference
* Initial inference graph API implementation by yuzisun Iamlovingit njhill https://github.com/kserve/kserve/pull/1910
* Enable transformers to work with ModelMesh by chinhuang007 in https://github.com/kserve/kserve/pull/2136

Model Storage Provider
* Introduce new storage spec for unified configuration by Tomcli in https://github.com/kserve/kserve/pull/1899
* Add Azure file share support by laozc Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2180
* Support webhdfs in storageURI and storage spec by markwinter in https://github.com/kserve/kserve/pull/2077

Serving Runtime
* Add `protocolversion` in servingruntime spec by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2118
* Add Volumes to ServingRuntimePodSpec; allow other built-in ServerTypes by njhill in https://github.com/kserve/kserve/pull/2147
* Allow more fields in servingruntime container spec by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2112
* Add env field to ServingRuntime builtInAdapter settings by njhill in https://github.com/kserve/kserve/pull/2123

:warning: What's Changed
* Convert kserve manager from statefulset to deployment to make HA by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2160

:lady_beetle: Fixes
* Update ray to 1.9.2 for log4j security vulnerability fix by markwinter in https://github.com/kserve/kserve/pull/2056
* Runtimes installation issue fix by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2071
* Fix: replace image tag issue by ittus in https://github.com/kserve/kserve/pull/2074
* Fix status RestURL type by pvaneck in https://github.com/kserve/kserve/pull/2121
* Use default port for raw deployment as fail safe by andyi2it in https://github.com/kserve/kserve/pull/2116
* Fix canary rollout falling back to previously rolled out version by wenyangchou in https://github.com/kserve/kserve/pull/2097
* Fix: predict address url on status object by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2146
* Fix downloading model with nested sub folders from gcs by andyi2it in https://github.com/kserve/kserve/pull/2152
* Delete only the trainedmodel in the namespace where the isvc by hehe04 in https://github.com/kserve/kserve/pull/2166

:arrow_up: Version upgrades
* go mod: Upgrade to ginkgo v2 by haoxins in https://github.com/kserve/kserve/pull/2062
* upgrade alibi version to 0.6.4 by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2092
* Upgrade kserve python dep by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2103
* Bump torchserve version to 0.6.0 by jagadeeshi2i in https://github.com/kserve/kserve/pull/2214
* Update python dep for kserve sdk by yuzisun in https://github.com/kserve/kserve/pull/2216

:book: Documentation
* TorchServe - KServe v2 - Examples update by shrinath-suresh in https://github.com/kserve/kserve/pull/2035
* TorchServe - KServe v2 - bert explanation by shrinath-suresh in https://github.com/kserve/kserve/pull/2043
* Fix the required K8s version comments by haoxins in https://github.com/kserve/kserve/pull/2076
* Fix triton + torchscript guidelines to be executable by Curt-Park in https://github.com/kserve/kserve/pull/2091
* fix: configmap url in sklearn example by ittus in https://github.com/kserve/kserve/pull/2072
* Fix e2e test example gcs bucket by yuzisun in https://github.com/kserve/kserve/pull/2134
* Update docs/samples/pipelines/ by georgetree in https://github.com/kserve/kserve/pull/2122
* Update Infer proto docs to mention BFloat16 type by rmccorm4 in https://github.com/kserve/kserve/pull/2159
* Add cherry pick script and document cherrypick process by yuzisun in https://github.com/kserve/kserve/pull/2153
* Made changes to update sdk and docs by running code-gen by andyi2it in https://github.com/kserve/kserve/pull/2162
* Update documentation for getting Prometheus metrics. by shrinandj in https://github.com/kserve/kserve/pull/2171
* Update deprecated gcs bucket by yuzisun in https://github.com/kserve/kserve/pull/2215
* Update Feast transformer to support ModelMesh by chinhuang007 in https://github.com/kserve/kserve/pull/2204
* update graph sample by Iamlovingit in https://github.com/kserve/kserve/pull/2223

:hammer_and_pick: Developer Experience
* Move ComponentExtensionSpec validation to own test file by markwinter in https://github.com/kserve/kserve/pull/2110
* Add default container annotation by haoxins in https://github.com/kserve/kserve/pull/2124
* update kserve manager kind as deployment in helm chart by Suresh-Nakkeran in https://github.com/kserve/kserve/pull/2172
* Fix kubectl version compatibility issue in post e2e test script by yuzisun in https://github.com/kserve/kserve/pull/2175
* Add aix-explainer deploy command by Cheng8994 in https://github.com/kserve/kserve/pull/2174
* Added a specific version for protobuf by andyi2it in https://github.com/kserve/kserve/pull/2201
* Fix controller manager image patch in CI by yuzisun in https://github.com/kserve/kserve/pull/2199
* Remove presubmit tests depending on optional-test-infra by aws-kf-ci-bot in https://github.com/kserve/kserve/pull/2194
* chore: Update E2E tests to use GH Actions by pvaneck in https://github.com/kserve/kserve/pull/2206
* Add install script for KServe and ModelMesh by chinhuang007 in https://github.com/kserve/kserve/pull/2032
* Publish helm chart as release asset by ddelange in https://github.com/kserve/kserve/pull/2189


New Contributors
* shrinath-suresh made their first contribution in https://github.com/kserve/kserve/pull/2035
* ittus made their first contribution in https://github.com/kserve/kserve/pull/2074
* Curt-Park made their first contribution in https://github.com/kserve/kserve/pull/2091
* georgetree made their first contribution in https://github.com/kserve/kserve/pull/2122
* wenyangchou made their first contribution in https://github.com/kserve/kserve/pull/2097
* rmccorm4 made their first contribution in https://github.com/kserve/kserve/pull/2159
* hehe04 made their first contribution in https://github.com/kserve/kserve/pull/2166
* Cheng8994 made their first contribution in https://github.com/kserve/kserve/pull/2174
* shrinandj made their first contribution in https://github.com/kserve/kserve/pull/2171
* aws-kf-ci-bot made their first contribution in https://github.com/kserve/kserve/pull/2194
* ddelange made their first contribution in https://github.com/kserve/kserve/pull/2189

**Full Changelog**: https://github.com/kserve/kserve/compare/v0.8.0...v0.9.0-rc0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.0

CVSS v3 Details

CRITICAL 9.0
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
HIGH
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
CHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 5.1
Access Vector (AV)
NETWORK
Access Complexity (AC)
HIGH
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
PARTIAL
Availability Impact (A)
PARTIAL