CVE-2024-8769

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7	Exploit
https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:aimstack:aim:*:*:*:*:*:*:*:*

History

01 Apr 2025, 20:30

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7 -~~	() https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7 - Exploit
First Time		Aimstack Aimstack aim
CWE		CWE-22
CPE		cpe:2.3:a:aimstack:aim::::::::

20 Mar 2025, 13:15

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7 -~~	() https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7 -
Summary		(es) Una vulnerabilidad en la función `LockManager.release_locks` de aimhubio/aim (commit bb76afe) permite la eliminación arbitraria de archivos mediante un path traversal relativo. El parámetro `run_hash`, controlable por el usuario, se concatena sin normalización como parte de una ruta utilizada para especificar la eliminación de archivos. Esta vulnerabilidad se expone mediante el método `Repo._close_run()`, accesible mediante la API de instrucciones del servidor de seguimiento. Por lo tanto, un atacante puede explotarla para eliminar cualquier archivo arbitrario en la máquina que ejecuta el servidor de seguimiento.

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:30

NVD link : CVE-2024-8769

Mitre link : CVE-2024-8769

CVE.ORG link : CVE-2024-8769

JSON object : View

Products Affected

aimstack

CWE

CWE-29

Path Traversal: '\..\filename'

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.1 /10