CVE-2024-8769 Information

Description

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter which is user-controllable is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method which is accessible via the tracking server instruction API. As a result an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Reference

https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7 https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7