Home > Vulnerability Database > CVE-2024-8238

Mend.io Vulnerability Database

CVE-2024-8238

Good to know:

Date: March 20, 2025

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.

Severity Score

5.9

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-8238

Url: https://github.com/aimhubio/aim

Url: https://github.com/aimhubio/aim/blob/main/aim/storage/query.py#L45

Url: https://huntr.com/bounties/4e140ef9-f6d1-4e68-a44c-3b9e856924d3

Url: https://www.mend.io/vulnerability-database/CVE-2024-8238

Severity Score

5.9

Weakness Type (CWE)

Improper Access Control

CWE-284

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

Top Fix

Upgrade Version

Upgrade to version https://github.com/aimhubio/aim.git - no_fix

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-8238

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?