Plattform
python
Komponente
aim
Behoben in
3.22.1
CVE-2024-6851 describes a Path Traversal vulnerability discovered in aimhubio/aim, a Python-based tracking server. This flaw allows an attacker to delete arbitrary files by crafting a malicious glob-pattern within the LocalFileManager._cleanup function. Versions of aimhubio/aim prior to 3.22.0 are affected. A fix is expected in a future release.
The vulnerability lies in the LocalFileManager._cleanup function, which is responsible for deleting files based on a user-provided glob-pattern. The function fails to adequately validate that the matched files reside within the intended directory managed by LocalFileManager. Consequently, a malicious actor can construct a glob-pattern that targets files outside of this directory, leading to unauthorized deletion of sensitive data. This could include configuration files, application code, or even system files, potentially disrupting the entire tracking server and compromising its integrity. The potential impact extends beyond data loss, as an attacker could potentially gain control over the server by deleting critical components.
CVE-2024-6851 was publicly disclosed on 2025-03-20. The vulnerability's ease of exploitation, combined with the potential for significant data loss, warrants careful attention. There is no indication of active exploitation campaigns at this time, nor is it listed on KEV. The EPSS score is currently pending evaluation. Public proof-of-concept code is not yet available.
Organizations and individuals utilizing aimhubio/aim versions 3.22.0 and earlier, particularly those running the tracking server in environments with limited access controls or where the file cleanup functionality is enabled without proper validation, are at significant risk. Shared hosting environments where multiple users have access to the aimhubio/aim installation are also particularly vulnerable.
• python / server:
import os
import glob
def check_file_deletion(directory, pattern):
try:
files = glob.glob(os.path.join(directory, pattern))
for file in files:
if not file.startswith(directory):
print(f"Potential Path Traversal: File {file} outside of directory {directory}")
except Exception as e:
print(f"Error during glob check: {e}")
# Example usage (replace with actual directory and pattern)
directory = '/path/to/aimhubio/aim/data' # Replace with the actual data directory
patter = '*/temp/*' # Replace with the pattern being used
check_file_deletion(directory, pattern)disclosure
Exploit-Status
EPSS
0.38% (60% Perzentil)
CISA SSVC
CVSS-Vektor
While a patched version is pending, several mitigation strategies can be implemented to reduce the risk. The most immediate step is to restrict access to the file deletion functionality to trusted users only. Implement strict input validation on the glob-pattern, ensuring it adheres to a predefined whitelist of allowed characters and patterns. Consider using a more secure file deletion mechanism that explicitly verifies the file path before deletion. As a temporary workaround, you could disable the file cleanup functionality entirely if it's not essential. Monitor system logs for any suspicious file deletion activity. After a future upgrade, confirm the fix by attempting to delete a file outside the intended directory using a crafted glob-pattern; the operation should be denied.
Actualice la biblioteca aimhubio/aim a una versión posterior a la 3.22.0 que corrija la vulnerabilidad. Esto evitará la eliminación arbitraria de archivos debido a un patrón glob malicioso. Consulte las notas de la versión para obtener más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-6851 is a Path Traversal vulnerability in aimhubio/aim versions up to 3.22.0, allowing attackers to delete arbitrary files using a malicious glob-pattern.
You are affected if you are using aimhubio/aim version 3.22.0 or earlier. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of aimhubio/aim. Until then, restrict access to the file cleanup function and implement strict input validation on glob-patterns.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply mitigations proactively.
Refer to the aimhubio project's official website and GitHub repository for updates and security advisories regarding CVE-2024-6851.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.