Skip to main content

Aim CVE-2024-2195

CRITICAL
Code Injection (CWE-94)
2024-04-10 security@huntr.dev
9.8
CVSS 3.0 · Vendor: huntr
Share

Severity by source

Vendor (huntr) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (huntr) · only source for this CVE.

CVSS VectorVendor: huntr

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 10, 2024 - 17:15 cve.org
CRITICAL 9.8

DescriptionCVE.org

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

AnalysisAI

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise. Affected products include: Aimstack Aim.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

More in Aim

View all
CVE-2024-6396 CRITICAL POC
9.8 Jul 12

A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any fi

CVE-2024-6829 CRITICAL POC
9.1 Mar 20

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extr

CVE-2024-2196 HIGH POC
8.8 Apr 10

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting

CVE-2021-43775 HIGH POC
8.6 Nov 23

Aim is an open-source, self-hosted machine learning experiment tracking tool. Rated high severity (CVSS 8.6), this vulne

CVE-2024-8238 HIGH POC
8.1 Mar 20

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro

CVE-2024-6851 HIGH POC
7.5 Mar 20

In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-spec

CVE-2024-10110 HIGH POC
7.5 Mar 20

In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of t

CVE-2025-0190 HIGH POC
7.5 Mar 20

In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. Rated high severity (CVSS 7.5), this vulner

CVE-2024-12778 HIGH POC
7.5 Mar 20

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. Rated high severity (CVSS 7.

CVE-2024-8061 HIGH POC
7.5 Mar 20

In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, cau

CVE-2024-6227 HIGH POC
7.5 Jul 08

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tr

CVE-2024-8101 MEDIUM POC
6.1 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0.

Share

CVE-2024-2195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy