CVE-2024-7776 — Path Traversal in Onnx

CWE-22 — Path Traversal6 documents5 sources

Severity

9.1CRITICALNVD

EPSS

1.5%

top 19.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Onnx Onnx Onnx

Timeline

PublishedMar 20

Description

A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶PyPIonnx/onnx< 1.17.0

▶Debianonnx/onnx< 1.16.2-1+1

▶NVDonnx/onnx1.16.1

▶CVEListV5onnx/onnx_onnxunspecified — latest

🔴Vulnerability Details

GHSA

Open Neural Network Exchange (ONNX) Path Traversal Vulnerability↗2025-03-20

▶

OSV

Open Neural Network Exchange (ONNX) Path Traversal Vulnerability↗2025-03-20

▶

OSV

CVE-2024-7776: A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1↗2025-03-20

▶

CVEList

Arbitrary File Overwrite in onnx/onnx↗2025-03-20

▶

📋Vendor Advisories

Debian

CVE-2024-7776: onnx - A vulnerability in the `download_model` function of the onnx/onnx framework, bef...↗2024

▶