Arbitrary File Overwrite Vulnerability in onnx/onnx Framework
CVE-2024-5187

8.8HIGH

Key Information:

Vendor: Onnx
Status: Onnx/onnx
Vendor: CVE Published:; 6 June 2024

Badges

📰 News Worthy

What is CVE-2024-5187?

A vulnerability exists within the download_model_with_test_data function of the ONNX framework, specifically version 1.16.0, which permits arbitrary file overwrites due to insufficient safeguards against path traversal attacks in crafted tar files. This flaw allows adversaries to manipulate file paths within the tar file extraction process, potentially leading to significant system compromise by overwriting critical files. For example, an attacker can overwrite essential files such as the /home/kali/.ssh/authorized_keys file by providing an absolute path in a malicious tar file. The lack of proper path validation during file extraction poses a severe risk to both the integrity and availability of affected systems.

Affected Version(s)

onnx/onnx <= unspecified

News Articles

cybersecurityupdate.net

CVE-2024-5187

Advisories Archives - Cyber Security News

FEDORA-2024-d9c7181a19 Packages in this update: onnx-1.14.1-3.fc40 Update description: Security fix for CVE-2024-5187 Read More FEDORA-2024-110b39017e Packages in...

References

https://huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by cybersecurityupdate.net
Jul 2, 2024
Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 21, 2024

CVE-2024-5187 Data

JSON

Onnx

Badges

What is CVE-2024-5187?

Affected Version(s)

News Articles

Advisories Archives - Cyber Security News

References

CVSS V3.1

Timeline