CVE Vulnerability

CVE-2021-43775

Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)� sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

8.6 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/aimhubio/aim/issues/999 Issue Tracking Third Party Advisory
https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc Exploit Third Party Advisory
https://github.com/aimhubio/aim/pull/1003 Patch Third Party Advisory
https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16 Product
https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738 Patch
Configurations

Configuration 1

cpe:2.3:a:aimstack:aim:*:*:*:*:*:python:*:*
Information

Published : 2021-11-23 09:15

Updated : 2023-02-24 03:49

NVD link : CVE-2021-43775

Mitre link : CVE-2021-43775

Products Affected
No products.
CWE
CWE-22