onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl: 2 vulnerabilities (highest severity is: 8.8) #75
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Micro-Learning Topic: Directory traversal (Detected by phrase)Matched on "Directory Traversal"Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality). Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: Vulnerable library (Detected by phrase)Matched on "Vulnerable Library"Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process. Try a challenge in Secure Code Warrior |
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Micro-Learning Topic: Path traversal (Detected by phrase)Matched on "path traversal"Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality). Try a challenge in Secure Code WarriorHelpful references
|
Open Neural Network Exchange
Library home page: https://files.pythonhosted.org/packages/bf/c5/e8edd9bc58192ef964270e2f4600a02cd5e5d0958b81f7abe2ee0a604478/onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Open Neural Network Exchange
Library home page: https://files.pythonhosted.org/packages/bf/c5/e8edd9bc58192ef964270e2f4600a02cd5e5d0958b81f7abe2ee0a604478/onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
A vulnerability in the
download_model_with_test_datafunction of the onnx/onnx framework, version 1.16.0, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. The issue arises from the function's handling of tar file extraction without performing security checks on the paths within the tar file, as demonstrated by the ability to overwrite the/home/kali/.ssh/authorized_keysfile by specifying an absolute path in the malicious tar file.Publish Date: 2024-06-06
URL: CVE-2024-5187
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-06-06
Fix Resolution: 1.16.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Open Neural Network Exchange
Library home page: https://files.pythonhosted.org/packages/bf/c5/e8edd9bc58192ef964270e2f4600a02cd5e5d0958b81f7abe2ee0a604478/onnx-1.12.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 8007902a6bde49bdad6e8694dfa82feb12e3f45c
Found in base branch: main
Vulnerability Details
Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"
Publish Date: 2023-01-25
URL: CVE-2022-25882
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25882
Release Date: 2023-01-25
Fix Resolution: 1.13.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: