Upstream information

CVE-2024-27318 at MITRE

Description

Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently not rated by SUSE as it is not affecting the SUSE Enterprise products.

SUSE Bugzilla entry: 1220347 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • libonnx >= 1.16.0-1.1
  • libonnx_proto >= 1.16.0-1.1
  • onnx-backend-test >= 1.16.0-1.1
  • onnx-devel >= 1.16.0-1.1
  • python310-onnx >= 1.16.0-1.1
  • python311-onnx >= 1.16.0-1.1
  • python312-onnx >= 1.16.0-1.1
Patchnames:
openSUSE-Tumbleweed-2024-13803


SUSE Timeline for this CVE

CVE page created: Fri Feb 23 21:00:10 2024
CVE page last modified: Tue Sep 3 19:34:13 2024