CVE-2024-8769

Description

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

How to fix CVE-2024-8769

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2024-8769 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 3.15.0, <= 3.27.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8769
• PATCHgithub.com/aimhubio/aim
• WEBgithub.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140
• WEBhuntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7