Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2024-27318

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 year, 2 months ago

Versions of the package onnx before and including 1.15.0 are …

Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass for the patch added for CVE-2022-25882.

References

https://github.com/onnx/onnx/commit/66b7fb630903fdcf3e83b6b6d56d82e904264a20 x_transferred
https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479 x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred

Affected products

onnx

=<1.15.0

Matching in nixpkgs

pkgs.onnxruntime

Cross-platform, high performance scoring engine for ML models

nixos-unstable 1.18.1
- nixpkgs-unstable 1.18.1
- nixos-unstable-small 1.18.1

pkgs.python311Packages.onnx

Open Neural Network Exchange

nixos-unstable 1.17.0
- nixpkgs-unstable 1.17.0
- nixos-unstable-small 1.17.0

pkgs.python312Packages.onnx

Open Neural Network Exchange

nixos-unstable 1.17.0
- nixpkgs-unstable 1.17.0
- nixos-unstable-small 1.17.0

pkgs.python311Packages.skl2onnx

Convert scikit-learn models to ONNX

nixos-unstable skl2onnx-1.17.0
- nixpkgs-unstable skl2onnx-1.17.0
- nixos-unstable-small skl2onnx-1.17.0

pkgs.python312Packages.skl2onnx

Convert scikit-learn models to ONNX

nixos-unstable skl2onnx-1.17.0
- nixpkgs-unstable skl2onnx-1.17.0
- nixos-unstable-small skl2onnx-1.17.0

pkgs.python311Packages.onnxmltools

ONNXMLTools enables conversion of models to ONNX

nixos-unstable 1.12.0
- nixpkgs-unstable 1.12.0
- nixos-unstable-small 1.12.0

pkgs.python311Packages.onnxruntime

Cross-platform, high performance scoring engine for ML models

nixos-unstable 1.18.1
- nixpkgs-unstable 1.18.1
- nixos-unstable-small 1.18.1

pkgs.python312Packages.onnxmltools

ONNXMLTools enables conversion of models to ONNX

nixos-unstable 1.12.0
- nixpkgs-unstable 1.12.0
- nixos-unstable-small 1.12.0

pkgs.python312Packages.onnxruntime

Cross-platform, high performance scoring engine for ML models

nixos-unstable 1.18.1
- nixpkgs-unstable 1.18.1
- nixos-unstable-small 1.18.1

pkgs.python311Packages.onnxruntime-tools

Transformers Model Optimization Tool of ONNXRuntime

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.python312Packages.onnxruntime-tools

Transformers Model Optimization Tool of ONNXRuntime

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.python311Packages.onnxconverter-common

ONNX Converter and Optimization Tools

nixos-unstable 1.14.0
- nixpkgs-unstable 1.14.0
- nixos-unstable-small 1.14.0

pkgs.python311Packages.rapidocr-onnxruntime

Cross platform OCR Library based on OnnxRuntime

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.1

pkgs.python312Packages.onnxconverter-common

ONNX Converter and Optimization Tools

nixos-unstable 1.14.0
- nixpkgs-unstable 1.14.0
- nixos-unstable-small 1.14.0

pkgs.python312Packages.rapidocr-onnxruntime

Cross platform OCR Library based on OnnxRuntime

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.1

Package maintainers

@ck3d Christian Kögler <ck3d@gmx.de>
@cbourjau Christian Bourjau <christianb@posteo.de>
@puffnfresh Brian McKenna <brian@brianmckenna.org>
@acairncross Aiken Cairncross <acairncross@gmail.com>
@happysalada Raphael Megzari <raphael@megzari.com>
@pluiedev Leah Amelia Chen <hi@pluie.me>