nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka nnabla) prior to v1.0.10 relies on the HOME environment variable, which might be untrusted.
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-10844
- https://github.com/sony/nnabla/issues/209
- https://github.com/sony/nnabla/pull/299
- https://github.com/sony/nnabla/commit/e87347648ab7210529a0e60f0849680de8e9b63a
- https://github.com/sony/nnabla/releases/tag/v1.0.10
- https://github.com/advisories/GHSA-4q2w-rw7m-xqw6