CVE-2024-8769

CRITICAL9.1EPSS 1.3%

Aim path traversal in LockManager.release_locks

Published: 3/20/2025Modified: 3/20/2025

Description

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Affected packages (1)

PyPI/aim>= 3.15.0, <= 3.27.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8769
PATCHhttps://github.com/aimhubio/aim
WEBhttps://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140
WEBhttps://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7