CVE-2023-5245

Name of the Vulnerable Software and Affected Versions MLeap versions prior to 0.17.0

Description The issue is related to a path traversal flaw, also known as Zip Slip, which allows arbitrary file creation and can lead to code execution. This occurs when the FileUtil.extract() function enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory. When creating an instance of TensorflowModel using the saved model format and an exported tensorflow model, the apply() function invokes the vulnerable implementation of FileUtil.extract(). This can result in arbitrary file overwrites, risking denial-of-service (DoS) or remote code execution (RCE).

Recommendations For MLeap versions prior to 0.17.0, update to version 0.17.0 to resolve the issue. As a temporary workaround, consider restricting the use of the FileUtil.extract() function until a patch is available. Avoid using the vulnerable implementation of FileUtil.extract() when creating instances of TensorflowModel using the saved model format and an exported tensorflow model.