CVE-2024-12216

Summary

A vulnerability in the ImageClassificationDataset.from_csv() API of the dmlc/gluon-cv repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts tar.gz files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.

Affected Software

VendorProductVersion RangeStatus
dmlcdmlc/gluon-cvunspecified <= latestaffected

Weaknesses

  • CWE-59: CWE-59 Improper Link Resolution Before File Access

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References