Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04cGhqLWY5dzItY2pjY80X4g

Arbitrary file reading vulnerability in Aim

Impact

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Vulnerable code: https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16

Patches

The vulnerability issue is resolved in Aim v3.1.0.

References

https://owasp.org/www-community/attacks/Path_Traversal

Permalink: https://github.com/advisories/GHSA-8phj-f9w2-cjcc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cGhqLWY5dzItY2pjY80X4g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Identifiers: GHSA-8phj-f9w2-cjcc, CVE-2021-43775
References:

• https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc
• https://github.com/aimhubio/aim/pull/1003
• https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16
• https://nvd.nist.gov/vuln/detail/CVE-2021-43775
• https://github.com/aimhubio/aim/issues/999
• https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738
• https://github.com/advisories/GHSA-8phj-f9w2-cjcc

Repository: https://github.com/aimhubio/aim
Blast Radius: 18.3

Affected Packages