CVE-2024-2195 — CRITICAL (9.8)

Vulnerability Description

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Aimstack	Aim	>= 3.0.0

Related Weaknesses (CWE)

CWE-94

References

https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018ExploitThird Party Advisory
https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018ExploitThird Party Advisory

FAQ

What is CVE-2024-2195?

CVE-2024-2195 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerabilit...

How severe is CVE-2024-2195?

CVE-2024-2195 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-2195?

Check the references section above for vendor advisories and patch information. Affected products include: Aimstack Aim.