
We found results for “”
CVE-2024-8769
Date: March 20, 2025
A vulnerability in the "LockManager.release_locks" function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The "run_hash" parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the "Repo._close_run()" method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | HIGH |
Availability (A): | HIGH |