2290806 – (CVE-2024-5187) CVE-2024-5187 onnx: arbitrary file overwrite in download_model_with_test_data

Bug 2290806 (CVE-2024-5187) - CVE-2024-5187 onnx: arbitrary file overwrite in download_model_with_test_data

Summary: CVE-2024-5187 onnx: arbitrary file overwrite in download_model_with_test_data

Keywords:
Status:	NEW
Alias:	CVE-2024-5187
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2290807
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-06 21:51 UTC by Robb Gatica
Modified:	2024-06-06 21:51 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-06-06 21:51:14 UTC

A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, version 1.16.0, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. The issue arises from the function's handling of tar file extraction without performing security checks on the paths within the tar file, as demonstrated by the ability to overwrite the `/home/kali/.ssh/authorized_keys` file by specifying an absolute path in the malicious tar file.

https://huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e11237e

Comment 1 Robb Gatica 2024-06-06 21:51:25 UTC

Created onnx tracking bugs for this issue:

Affects: fedora-all [bug 2290807]

Note You need to log in before you can comment on or make changes to this bug.