CVE-2024-8769

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-8769

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8769.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-8769

Aliases

GHSA-4qcx-jx49-6qrh

Published

2025-03-20T10:15:44.220Z

Modified

2025-11-16T12:07:16.535281Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

References

https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7

Affected packages

Git / github.com/aimhubio/aim

Affected ranges

Type: GIT
Repo: https://github.com/aimhubio/aim
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bb76afe6e9a54364f322520cc4fea2679238f904

Affected versions

Other

pre-launch

v0.*

v0.1.0

v0.1.1

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v1.*

v1.0.0

v1.0.2

v1.1.0

v1.1.1

v1.2.7rc1

v2.*

v2.1.6

v2.2.0

v2.2.1

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v3.*

v3.0.0

v3.0.0-beta5

v3.0.0-beta6

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.1.0

v3.1.1

v3.10.0

v3.10.1

v3.10.2

v3.10.3

v3.11.0

v3.11.1

v3.11.2

v3.12.0

v3.12.1

v3.12.2

v3.13.0

v3.13.1

v3.13.2

v3.13.3

v3.13.4

v3.14.0

v3.14.1

v3.14.2

v3.14.3

v3.14.4

v3.15.0

v3.15.1

v3.15.2

v3.16.0

v3.16.1

v3.16.2

v3.17.0

v3.17.1

v3.17.2

v3.17.3

v3.17.4

v3.17.5

v3.18.1

v3.19.0

v3.19.1

v3.19.2

v3.19.3

v3.2.0

v3.2.1

v3.2.2

v3.20.1

v3.21.0

v3.22.0

v3.23.0

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.4.0

v3.4.1

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.8.0

v3.8.1

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8769.json"