CVE-2024-7776 — Open Neural Network Exchange (ONNX) Path Traversal Vulnerability

Description

A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files in the user's directory, potentially leading to remote command execution.

How to fix CVE-2024-7776

To remediate CVE-2024-7776, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.17.0 or later
—upgrade to 1.16.2 or later

Is CVE-2024-7776 being exploited?

Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0
from 0, < 1.17.0
from 0, < 1.16.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

References (8)

ADVISORYgithub.com/advisories/GHSA-h36j-8vv3-cj52
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-7776
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-7776
PATCHgithub.com/onnx/onnx
WEB