CVE-2024-2195

moderate-risk
Published 2024-04-10

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

Do I need to act?

~
8.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Aim

Affected Vendors

Aimstack

References (2)

Exploit https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018
Exploit https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018
47
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 10/34 · Low
Exposure 5/34 · Minimal