CVE-2024-2195: Aim Web API vulnerable to Remote Code Execution

April 10, 2024 (updated October 25, 2024)

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

References

github.com/advisories/GHSA-mxvw-cj37-8g2h
github.com/aimhubio/aim
huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018
nvd.nist.gov/vuln/detail/CVE-2024-2195

Detect and mitigate CVE-2024-2195 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →