Skip to content

Arbitrary file reading vulnerability in Aim

High severity GitHub Reviewed Published Nov 23, 2021 in aimhubio/aim • Updated Aug 30, 2024

Package

pip aim (pip)

Affected versions

< 3.1.0

Patched versions

3.1.0

Description

Impact

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Vulnerable code: https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16

Patches

The vulnerability issue is resolved in Aim v3.1.0.

References

https://owasp.org/www-community/attacks/Path_Traversal

References

@gorarakelyan gorarakelyan published to aimhubio/aim Nov 23, 2021
Reviewed Nov 23, 2021
Published by the National Vulnerability Database Nov 23, 2021
Published to the GitHub Advisory Database Nov 23, 2021
Last updated Aug 30, 2024

Severity

High

EPSS score

0.193%
(57th percentile)

Weaknesses

CVE ID

CVE-2021-43775

GHSA ID

GHSA-8phj-f9w2-cjcc

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.