Plattform
python
Komponente
onnx
Behoben in
1.17.0
CVE-2024-7776 is a Path Traversal vulnerability discovered in the download_model function of the onnx framework. This flaw allows attackers to overwrite files within a user's directory by crafting malicious tar archives. The vulnerability affects versions before and including 1.16.1, and a fix is available in version 1.17.0.
An attacker exploiting CVE-2024-7776 can leverage path traversal techniques to overwrite arbitrary files within the user's directory where the onnx framework is installed. This could involve overwriting critical configuration files, executables, or even system binaries. Successful exploitation could lead to remote command execution, allowing the attacker to gain control of the affected system. The blast radius extends to any system running vulnerable versions of the onnx framework and accessible to a malicious actor capable of providing a crafted tar file.
CVE-2024-7776 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that exploits will emerge. The CVSS score of 8.1 (HIGH) indicates a significant risk, and the potential for remote command execution warrants immediate attention. The vulnerability was publicly disclosed on 2025-03-20.
Python developers and systems administrators using the onnx framework in their applications are at risk. This includes those deploying machine learning models or applications that rely on the onnx format. Shared hosting environments where multiple users share the same file system are particularly vulnerable, as a malicious tar file uploaded by one user could potentially impact others.
• python / supply-chain:
import os
import tarfile
def check_onnx_vulnerability(tar_file_path):
try:
with tarfile.open(tar_file_path, 'r') as tar:
for member in tar.getmembers():
if '../' in member.name:
print(f"Potential path traversal detected in: {member.name}")
return True
except Exception as e:
print(f"Error processing tar file: {e}")
return False
# Example usage:
# Replace with the path to a potentially malicious tar file
tar_file = 'malicious.tar.gz'
if check_onnx_vulnerability(tar_file):
print("Vulnerability likely present.")
else:
print("No immediate path traversal detected.")• generic web: Check for unusual file downloads or modifications in web server access logs, especially those related to model downloads.
disclosure
Exploit-Status
EPSS
1.47% (81% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7776 is to upgrade to version 1.17.0 or later of the onnx framework. If upgrading is not immediately feasible, consider implementing input validation on the download_model function to sanitize file paths and prevent path traversal attempts. Additionally, restrict write access to the user's directory where the onnx framework is installed. Monitor system logs for suspicious file modification activity, particularly within the user's directory. After upgrading, confirm the fix by attempting to download a model with a specially crafted tar file containing path traversal sequences; the download should fail with an appropriate error.
Actualice la biblioteca onnx a una versión posterior a la 1.16.1. Esto se puede hacer usando el gestor de paquetes pip: `pip install --upgrade onnx`. Asegúrese de verificar que la actualización se haya realizado correctamente y que la versión instalada sea la correcta.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7776 is a Path Traversal vulnerability in the onnx framework's download_model function, allowing attackers to overwrite files via malicious tar archives.
You are affected if you are using onnx versions less than or equal to 1.9.0. Check your installed version and upgrade if necessary.
Upgrade to version 1.17.0 or later of the onnx framework. If immediate upgrade is not possible, implement input validation and restrict write access.
While no widespread exploitation has been confirmed, the vulnerability's nature and high CVSS score suggest potential for exploitation. Monitor your systems closely.
Refer to the onnx project's security advisories and release notes for details: [https://github.com/onnx/onnx/security/advisories](https://github.com/onnx/onnx/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.