#VU75176 Path traversal in onnx - CVE-2022-25882

Cybersecurity Help s.r.o.

Published: 2023-04-17 | Updated: 2024-03-21

Vulnerability identifier: #VU75176

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-25882

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
onnx
Universal components / Libraries / Libraries used by multiple products

Vendor: Open Neural Network Exchange

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Request example:

http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Mitigation
Install update from vendor's website.

Vulnerable software versions

onnx: 0.1 - 1.12.0

External links
https://gist.github.com/jnovikov/02a9aff9bf2188033e77bd91ff062856
https://github.com/onnx/onnx/issues/3991
https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479
https://github.com/onnx/onnx/blob/96516aecd4c110b0ac57eba08ac236ebf7205728/onnx/checker.cc%23L129
https://github.com/onnx/onnx/commit/f369b0e859024095d721f1d1612da5a8fa38988d
https://github.com/onnx/onnx/pull/4400

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Splunk Python for Scientific Computing update for third-party packages

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM Watson Studio on Cloud Pak for Data

Path traversal in onnx