CVE-2024-27318 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-27318 at MITRE

Description

Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

SUSE Bugzilla entry: 1220347 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`libonnx >= 1.16.0-1.1` `libonnx_proto >= 1.16.0-1.1` `onnx-backend-test >= 1.16.0-1.1` `onnx-devel >= 1.16.0-1.1` `python310-onnx >= 1.16.0-1.1` `python311-onnx >= 1.16.0-1.1` `python312-onnx >= 1.16.0-1.1`	Patchnames: openSUSE Tumbleweed GA libonnx-1.16.0-1.1

SUSE Timeline for this CVE

CVE page created: Fri Feb 23 21:00:10 2024
CVE page last modified: Thu Apr 4 11:40:56 2024