Vulnerability Details CVE-2022-25882
Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"
Exploit prediction scoring system (EPSS) score
EPSS Score 0.029
EPSS Ranking 85.8%
CVSS Severity
CVSS v3 Score 7.5
References
- https://gist.github.com/jnovikov/02a9aff9bf2188033e77bd91ff062856
- https://github.com/onnx/onnx/blob/96516aecd4c110b0ac57eba08ac236ebf7205728/onnx/checker.cc%23L129
- https://github.com/onnx/onnx/commit/f369b0e859024095d721f1d1612da5a8fa38988d
- https://github.com/onnx/onnx/issues/3991
- https://github.com/onnx/onnx/pull/4400
- https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479
- https://gist.github.com/jnovikov/02a9aff9bf2188033e77bd91ff062856
- https://github.com/onnx/onnx/blob/96516aecd4c110b0ac57eba08ac236ebf7205728/onnx/checker.cc%23L129
- https://github.com/onnx/onnx/commit/f369b0e859024095d721f1d1612da5a8fa38988d
- https://github.com/onnx/onnx/issues/3991
- https://github.com/onnx/onnx/pull/4400
- https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479
Products affected by CVE-2022-25882
-
cpe:2.3:a:linuxfoundation:onnx:-
-
cpe:2.3:a:linuxfoundation:onnx:0.1
-
cpe:2.3:a:linuxfoundation:onnx:0.2
-
cpe:2.3:a:linuxfoundation:onnx:1.0
-
cpe:2.3:a:linuxfoundation:onnx:1.0.1
-
cpe:2.3:a:linuxfoundation:onnx:1.1.0
-
cpe:2.3:a:linuxfoundation:onnx:1.1.2
-
cpe:2.3:a:linuxfoundation:onnx:1.10.0
-
cpe:2.3:a:linuxfoundation:onnx:1.10.1
-
cpe:2.3:a:linuxfoundation:onnx:1.10.2
-
cpe:2.3:a:linuxfoundation:onnx:1.11.0
-
cpe:2.3:a:linuxfoundation:onnx:1.12.0
-
cpe:2.3:a:linuxfoundation:onnx:1.2.1
-
cpe:2.3:a:linuxfoundation:onnx:1.2.2
-
cpe:2.3:a:linuxfoundation:onnx:1.2.3
-
cpe:2.3:a:linuxfoundation:onnx:1.3.0
-
cpe:2.3:a:linuxfoundation:onnx:1.4.0
-
cpe:2.3:a:linuxfoundation:onnx:1.4.1
-
cpe:2.3:a:linuxfoundation:onnx:1.5.0
-
cpe:2.3:a:linuxfoundation:onnx:1.6.0
-
cpe:2.3:a:linuxfoundation:onnx:1.7.0
-
cpe:2.3:a:linuxfoundation:onnx:1.8.0
-
cpe:2.3:a:linuxfoundation:onnx:1.8.1
-
cpe:2.3:a:linuxfoundation:onnx:1.9.0