CVE-2024-2195

Summary

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

Affected Software

VendorProductVersion RangeStatus
aimhubioaimhubio/aimunspecified <= latestaffected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

CVE Program Container

Additional References

References