Lucene search

Veracode Vulnerability DatabaseVERACODE:47477

HistoryJun 12, 2024 - 4:58 a.m.

Arbitrary File Write

2024-06-1204:58:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

arbitrary file write

onnx

path validation

tar file

extraction

remote code execution

deletion

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.6%

JSON

onnx is vulnerable to Arbitrary File Write. The vulnerability is due to insufficient path validation within an archive during tar file extraction. An attacker can overwrite any file on the system, potentially leading to remote code execution, and deletion of system, personal, or application files.

CPENameOperatorVersion
onnxle1.16.1
onnxle1.16.1

CPE	Name	Operator	Version
	onnx	le	1.16.1
	onnx	le	1.16.1

References

github.com/onnx/onnx/commit/69c473f09c36a6744e265c7f3b86ad326c7018ad

huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e11237e

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for VERACODE:47477