CVE-2024-2195
Last modified
CVE-2024-2195 is a vulnerability of currently unknown severity. A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. EPSS estimates a 1.80% chance of exploitation in the next 30 days.
Description
A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Aimstack | Aim | >= 3.0.0 |
References
- https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018Exploit, Third Party Advisory
- https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-2195?
How severe is CVE-2024-2195?
How do I fix CVE-2024-2195?
Are you affected by CVE-2024-2195?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST