{"id":"PYSEC-2024-223","details":"Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an off by one string copy.\n","aliases":["CVE-2024-27319","GHSA-h8wv-9h96-m4hr"],"modified":"2025-01-22T16:56:45.397855Z","published":"2024-02-23T18:15:50Z","references":[{"type":"FIX","url":"https://github.com/onnx/onnx/commit/08a399ba75a805b7813ab8936b91d0e274b08287"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGTBH5ZYL2LGYHIJDHN2MAUURIR5E7PY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFJJID2IZDOLFDMWVYTBDI75ZJQC6JOL/"}],"affected":[{"package":{"name":"onnx","ecosystem":"PyPI","purl":"pkg:pypi/onnx"},"ranges":[{"type":"GIT","repo":"https://github.com/onnx/onnx","events":[{"introduced":"0"},{"fixed":"08a399ba75a805b7813ab8936b91d0e274b08287"},{"fixed":"08a399ba75a805b7813ab8936b91d0e274b08287"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.16.0"}]}],"versions":["0.1","0.2","0.2.1","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.10.0","1.10.1","1.10.2","1.11.0","1.12.0","1.13.0","1.13.1","1.14.0","1.14.1","1.15.0","1.2.1","1.2.2","1.2.3","1.3.0","1.4.0","1.4.1","1.5.0","1.6.0","1.7.0","1.8.0","1.8.1","1.9.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/onnx/PYSEC-2024-223.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}