CVE-2024-12216 — GluonCV Arbitrary File Write via TarSlip

Description

A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.

How to fix CVE-2024-12216

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-12216 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.10.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-12216
PATCHgithub.com/dmlc/gluon-cv
WEBgithub.com/dmlc/gluon-cv/blob/3862e2db33ab650eff7c7c5c5891e805207027b1/gluoncv/utils/filesystem.py#L223-L229
WEBhuntr.com/bounties/46081fdc-2951-4deb-a2c9-2627007bdce0