onnx erlaubt willkürliches Überschreiben von Dateien in `download_model_with_test_data`

The vulnerability lies within the downloadmodelwithtestdata function, where the framework fails to properly sanitize paths within malicious tar archives. An attacker can craft a specially designed tar file containing paths that bypass the intended security checks, allowing them to overwrite arbitrary files on the system. This could involve overwriting critical system files, configuration files, or application data, leading to a complete system takeover. The potential impact extends beyond data corruption; successful file overwrites could facilitate remote code execution, enabling attackers to run arbitrary commands with the privileges of the process running the onnx framework. This vulnerability shares similarities with other path traversal exploits where insufficient input validation allows attackers to access or modify files outside of the intended directory.

Organizations and developers utilizing the onnx framework in their machine learning pipelines, particularly those processing untrusted data or models from external sources, are at risk. Systems with older versions of onnx deployed in production environments, especially those with limited security controls, are particularly vulnerable.

• python / system:

import os
import tarfile

def check_tar_extraction(tar_file_path, extraction_path):
    try:
        with tarfile.open(tar_file_path, 'r') as tar:
            tar.extractall(path=extraction_path)
        print(f"Extraction successful to {extraction_path}")
    except Exception as e:
        print(f"Extraction failed: {e}")

# Example usage (replace with actual paths)
# check_tar_extraction('/path/to/malicious.tar.gz', '/tmp/extraction_test')

• python / library: Examine onnx framework code for instances of tarfile.extractall without proper path sanitization. • generic web: Monitor web server access logs for requests containing tar files, especially those originating from untrusted sources.

1. 2024-06-06Disclosure

   disclosure

1. Reserviert2024-05-21
2. Veröffentlicht2024-06-06
3. Geändert2025-10-09
4. EPSS aktualisiert2026-04-02

The primary mitigation is to upgrade to version 1.16.2 or later, which includes the necessary security fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to restrict the directories where the downloadmodelwithtestdata function can extract tar files to a tightly controlled and isolated location. Additionally, implement strict input validation on any user-provided data used in file path construction. Consider using a Web Application Firewall (WAF) to filter out potentially malicious tar files based on known patterns or signatures. Monitor system logs for suspicious file access or modification events, particularly in directories that should not be modified. After upgrading, verify the fix by attempting to extract a known malicious tar file and confirming that the file access is denied.