CVE-2021-43775
moderate-risk
Published 2021-11-23
Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.
Do I need to act?
-
0.45% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.6/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (10)
Issue Tracking
https://github.com/aimhubio/aim/issues/999
Issue Tracking
https://github.com/aimhubio/aim/issues/999
36
/ 100
moderate-risk
Severity
29/34 · Critical
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal