ONNX Directory Traversal Vulnerability Affects Previous Versions
CVE-2024-27318

7.5HIGH

Key Information:

Vendor: Onnx
Status: Onnx
Vendor: CVE Published:; 23 February 2024

What is CVE-2024-27318?

The ONNX package, utilized in various machine learning frameworks, has a Directory Traversal vulnerability related to the external_data field within tensor proto files. This vulnerability allows an attacker to specify a file path that can bypass the intended restrictions, potentially leading to unauthorized access to files outside the designated directories. This issue exists in versions up to and including 1.15.0 and represents a failure to adequately mitigate exposure, particularly due to its ineffectiveness against previously addressed vulnerabilities, such as CVE-2022-25882. Users and administrators should prioritize updates to mitigate potential impacts.

Affected Version(s)

onnx 0 <= 1.15.0

References

https://github.com/onnx/onnx/commit/66b7fb630903fdcf3e83b...

https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 23, 2024
Vulnerability Reserved
Feb 23, 2024

Onnx

What is CVE-2024-27318?

Affected Version(s)

References

CVSS V3.1

Timeline