CVE-2024-6483 — MEDIUM (5.3)

Vulnerability Description

A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Aimstack	Aim	3.19.3

Related Weaknesses (CWE)

CWE-23

References

https://huntr.com/bounties/dc45d480-e579-4af4-8603-c52ecfd5e363ExploitThird Party Advisory

FAQ

What is CVE-2024-6483?

CVE-2024-6483 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal...

How severe is CVE-2024-6483?

CVE-2024-6483 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-6483?

Check the references section above for vendor advisories and patch information. Affected products include: Aimstack Aim.