CVE-2024-27318

Description

Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.12%
Third-Party Advisory fedoraproject.org Third-Party Advisory fedoraproject.org
Affected: onnx onnx
Published at:
Updated at:

References

Link Tags
https://github.com/onnx/onnx/commit/66b7fb630903fdcf3e83b6b6d56d82e904264a20 patch
https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479 product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFJJID2IZDOLFDMWVYTBDI75ZJQC6JOL/ third party advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGTBH5ZYL2LGYHIJDHN2MAUURIR5E7PY/ third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-27318?
CVE-2024-27318 has been scored as a high severity vulnerability.
How to fix CVE-2024-27318?
To fix CVE-2024-27318, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-27318 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-27318 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-27318?
CVE-2024-27318 affects onnx onnx.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.