CVE-2024-12216 Information

Description

A vulnerability in the ImageClassificationDataset.from_csv() API of the dmlc/gluon-cv repository version 0.10.0 allows for arbitrary file write. The function downloads and extracts tar.gz files from URLs without proper sanitization making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that when extracted can overwrite files on the victim’s system via path traversal or faked symlinks.

Reference

https://huntr.com/bounties/46081fdc-2951-4deb-a2c9-2627007bdce0