CVE-2021-43775 Information

Description

Aim is an open-source self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)� sequences and its variations or by using absolute file paths it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Reference

https://github.com/aimhubio/aim/issues/999 https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc https://github.com/aimhubio/aim/pull/1003 https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16 https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

8.6