Lucene search

K

GitHub Advisory DatabaseGHSA-FFXJ-547X-5J7C

HistoryJan 26, 2023 - 9:30 p.m.

Directory Traversal in onnx

2023-01-2621:30:25

CWE-22

GitHub Advisory Database

github.com

12

onnx

directory traversal

vulnerability

proto field

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

56.2%

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example “…/…/…/etc/passwd”

Affected configurations

Vulners

Node

linuxfoundationonnxRange<1.13.0

CPENameOperatorVersion
onnxlt1.13.0

References

gist.github.com/jnovikov/02a9aff9bf2188033e77bd91ff062856

github.com/advisories/GHSA-ffxj-547x-5j7c

github.com/onnx/onnx/blob/96516aecd4c110b0ac57eba08ac236ebf7205728/onnx/checker.cc%23L129

github.com/onnx/onnx/commit/f369b0e859024095d721f1d1612da5a8fa38988d

github.com/onnx/onnx/issues/3991

github.com/onnx/onnx/pull/4400

nvd.nist.gov/vuln/detail/CVE-2022-25882

security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

56.2%

Related for GHSA-FFXJ-547X-5J7C

osv5 prion2 cvelist2 ubuntucve1 nessus3 cbl_mariner1 nvd2 cve2 veracode1 github1 ibm2