ONNX Vulnerable to Out-of-bounds Read Due to Off-by-one String Copy
CVE-2024-27319

9.1CRITICAL

Key Information:

Vendor: Onnx
Status: Onnx
Vendor: CVE Published:; 23 February 2024

What is CVE-2024-27319?

The ONNX package versions before 1.15.0 are susceptible to an out-of-bounds read vulnerability due to an off-by-one error related to the ONNX_ASSERT and ONNX_ASSERTM functions. This flaw arises from improper handling of string data during operations, which could potentially allow an attacker to read unintended memory locations. This situation emphasizes the importance of robust input validation and memory management practices in software development, thereby reducing the risk associated with exploitation.

Affected Version(s)

onnx 0 <= 1.15.0

References

https://github.com/onnx/onnx/commit/08a399ba75a805b7813ab...

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 23, 2024
Vulnerability Reserved
Feb 23, 2024

Onnx

What is CVE-2024-27319?

Affected Version(s)

References

CVSS V3.1

Timeline