{"data":{"id":"79c78ff2-6879-487d-8fc2-6f1eba2d7f18","title":"CVE-2023-5245: FileUtil.extract() enumerates all zip file entries and extracts each file without validating whether file paths in the a","summary":"CVE-2023-5245 is a vulnerability in FileUtil.extract() where zip file extraction does not check if file paths are outside the intended directory, allowing attackers to create files anywhere and potentially execute code when TensorflowModel processes a saved model. This is called path traversal (a technique where an attacker uses file paths like '../../../' to escape a restricted folder).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2023-5245","publishedAt":"2023-11-15T18:15:07.457Z","cveId":"CVE-2023-5245","cweIds":["CWE-22"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["TensorFlow","MLEap"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0045,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}