Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for aim by aimhubio

    CVE-2025-5321 (GCVE-0-2025-5321)

    Vulnerability from nvd – Published: 2025-05-29 15:00 – Updated: 2025-06-01 04:39
    VLAI
    Title
    aimhubio aim run_view Object query.py RestrictedPythonQuery privilege escalation
    Summary
    A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.310492 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.310492 signaturepermissions-required
    https://vuldb.com/?submit.580253 third-party-advisory
    https://gist.github.com/superboy-zjc/1fc4747a0ac7… exploit
    Impacted products
    Vendor Product Version
    aimhubio aim Affected: 3.29.0
    Affected: 3.29.1
    Create a notification for this product.
    Credits
    Jiacheng Zhong Zhengyu Liu Gavin Zhong (VulDB User) Gavin Zhong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5321",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-29T15:16:32.431587Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-29T15:16:44.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "run_view Object Handler"
              ],
              "product": "aim",
              "vendor": "aimhubio",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.29.0"
                },
                {
                  "status": "affected",
                  "version": "3.29.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jiacheng Zhong"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Zhengyu Liu"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gavin Zhong (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Gavin Zhong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In aimhubio aim bis 3.29.1 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion RestrictedPythonQuery der Datei /aim/storage/query.py der Komponente run_view Object Handler. Mittels Manipulieren des Arguments Abfrage mit unbekannten Daten kann eine erweiterte Rechte-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-265",
                  "description": "Sandbox Issue",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-264",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-01T04:39:53.266Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-310492 | aimhubio aim run_view Object query.py RestrictedPythonQuery privilege escalation",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.310492"
            },
            {
              "name": "VDB-310492 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.310492"
            },
            {
              "name": "Submit #580253 | aim 3.29.1 Sandbox Issue",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.580253"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/superboy-zjc/1fc4747a0ac77a1edc8c32e1d4edc54c"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-29T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-29T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-01T06:41:59.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "aimhubio aim run_view Object query.py RestrictedPythonQuery privilege escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-5321",
        "datePublished": "2025-05-29T15:00:06.375Z",
        "dateReserved": "2025-05-29T08:11:11.324Z",
        "dateUpdated": "2025-06-01T04:39:53.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8863 (GCVE-0-2024-8863)

    Vulnerability from nvd – Published: 2024-09-14 23:00 – Updated: 2024-09-16 14:13
    VLAI
    Title
    aimhubio aim Text Explorer textbox.tsx dangerouslySetInnerHTML cross site scripting
    Summary
    A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.277500 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.277500 signaturepermissions-required
    https://vuldb.com/?submit.403203 third-party-advisory
    https://rumbling-slice-eb0.notion.site/Stored-XSS… exploit
    Impacted products
    Vendor Product Version
    aimhubio aim Affected: 3.0
    Affected: 3.1
    Affected: 3.2
    Affected: 3.3
    Affected: 3.4
    Affected: 3.5
    Affected: 3.6
    Affected: 3.7
    Affected: 3.8
    Affected: 3.9
    Affected: 3.10
    Affected: 3.11
    Affected: 3.12
    Affected: 3.13
    Affected: 3.14
    Affected: 3.15
    Affected: 3.16
    Affected: 3.17
    Affected: 3.18
    Affected: 3.19
    Affected: 3.20
    Affected: 3.21
    Affected: 3.22
    Affected: 3.23
    Affected: 3.24
    Create a notification for this product.
    aimhubio aim Affected: 3.0.0 , ≤ 3.2.4 (custom)
        cpe:2.3:a:aimhubio:aim:3.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    aftersnow (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:aimhubio:aim:3.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "aim",
                "vendor": "aimhubio",
                "versions": [
                  {
                    "lessThanOrEqual": "3.2.4",
                    "status": "affected",
                    "version": "3.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8863",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T14:12:24.322305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T14:13:21.333Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Text Explorer"
              ],
              "product": "aim",
              "vendor": "aimhubio",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0"
                },
                {
                  "status": "affected",
                  "version": "3.1"
                },
                {
                  "status": "affected",
                  "version": "3.2"
                },
                {
                  "status": "affected",
                  "version": "3.3"
                },
                {
                  "status": "affected",
                  "version": "3.4"
                },
                {
                  "status": "affected",
                  "version": "3.5"
                },
                {
                  "status": "affected",
                  "version": "3.6"
                },
                {
                  "status": "affected",
                  "version": "3.7"
                },
                {
                  "status": "affected",
                  "version": "3.8"
                },
                {
                  "status": "affected",
                  "version": "3.9"
                },
                {
                  "status": "affected",
                  "version": "3.10"
                },
                {
                  "status": "affected",
                  "version": "3.11"
                },
                {
                  "status": "affected",
                  "version": "3.12"
                },
                {
                  "status": "affected",
                  "version": "3.13"
                },
                {
                  "status": "affected",
                  "version": "3.14"
                },
                {
                  "status": "affected",
                  "version": "3.15"
                },
                {
                  "status": "affected",
                  "version": "3.16"
                },
                {
                  "status": "affected",
                  "version": "3.17"
                },
                {
                  "status": "affected",
                  "version": "3.18"
                },
                {
                  "status": "affected",
                  "version": "3.19"
                },
                {
                  "status": "affected",
                  "version": "3.20"
                },
                {
                  "status": "affected",
                  "version": "3.21"
                },
                {
                  "status": "affected",
                  "version": "3.22"
                },
                {
                  "status": "affected",
                  "version": "3.23"
                },
                {
                  "status": "affected",
                  "version": "3.24"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "aftersnow (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine Schwachstelle in aimhubio aim bis 3.24 gefunden. Sie wurde als problematisch eingestuft. Es betrifft die Funktion dangerouslySetInnerHTML der Datei textbox.tsx der Komponente Text Explorer. Durch die Manipulation des Arguments query mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-14T23:00:05.339Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-277500 | aimhubio aim Text Explorer textbox.tsx dangerouslySetInnerHTML cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.277500"
            },
            {
              "name": "VDB-277500 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.277500"
            },
            {
              "name": "Submit #403203 | aimhubio aim \u003c=3.24 Stored XSS",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.403203"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://rumbling-slice-eb0.notion.site/Stored-XSS-through-TEXT-EXPLORER-in-aimhubio-aim-d0f07b7194724950a673498546d80d43?pvs=4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-09-14T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-09-14T07:54:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "aimhubio aim Text Explorer textbox.tsx dangerouslySetInnerHTML cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-8863",
        "datePublished": "2024-09-14T23:00:05.339Z",
        "dateReserved": "2024-09-14T05:49:44.253Z",
        "dateUpdated": "2024-09-16T14:13:21.333Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43775 (GCVE-0-2021-43775)

    Vulnerability from nvd – Published: 2021-11-23 19:15 – Updated: 2024-08-04 04:03
    VLAI
    Title
    Arbitrary file reading vulnerability in Aim
    Summary
    Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    aimhubio aim Affected: < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:03:08.638Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/issues/999"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/pull/1003"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "aim",
              "vendor": "aimhubio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u201cdot-dot-slash (../)\u201d sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-23T19:15:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/issues/999"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/pull/1003"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
            }
          ],
          "source": {
            "advisory": "GHSA-8phj-f9w2-cjcc",
            "discovery": "UNKNOWN"
          },
          "title": "Arbitrary file reading vulnerability in Aim",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-43775",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary file reading vulnerability in Aim"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "aim",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 3.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "aimhubio"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u201cdot-dot-slash (../)\u201d sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
                },
                {
                  "name": "https://github.com/aimhubio/aim/issues/999",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/issues/999"
                },
                {
                  "name": "https://github.com/aimhubio/aim/pull/1003",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/pull/1003"
                },
                {
                  "name": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
                },
                {
                  "name": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-8phj-f9w2-cjcc",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-43775",
        "datePublished": "2021-11-23T19:15:13.000Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-08-04T04:03:08.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-5321 (GCVE-0-2025-5321)

    Vulnerability from cvelistv5 – Published: 2025-05-29 15:00 – Updated: 2025-06-01 04:39
    VLAI
    Title
    aimhubio aim run_view Object query.py RestrictedPythonQuery privilege escalation
    Summary
    A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.310492 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.310492 signaturepermissions-required
    https://vuldb.com/?submit.580253 third-party-advisory
    https://gist.github.com/superboy-zjc/1fc4747a0ac7… exploit
    Impacted products
    Vendor Product Version
    aimhubio aim Affected: 3.29.0
    Affected: 3.29.1
    Create a notification for this product.
    Credits
    Jiacheng Zhong Zhengyu Liu Gavin Zhong (VulDB User) Gavin Zhong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5321",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-29T15:16:32.431587Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-29T15:16:44.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "run_view Object Handler"
              ],
              "product": "aim",
              "vendor": "aimhubio",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.29.0"
                },
                {
                  "status": "affected",
                  "version": "3.29.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jiacheng Zhong"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Zhengyu Liu"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gavin Zhong (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Gavin Zhong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In aimhubio aim bis 3.29.1 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion RestrictedPythonQuery der Datei /aim/storage/query.py der Komponente run_view Object Handler. Mittels Manipulieren des Arguments Abfrage mit unbekannten Daten kann eine erweiterte Rechte-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-265",
                  "description": "Sandbox Issue",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-264",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-01T04:39:53.266Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-310492 | aimhubio aim run_view Object query.py RestrictedPythonQuery privilege escalation",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.310492"
            },
            {
              "name": "VDB-310492 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.310492"
            },
            {
              "name": "Submit #580253 | aim 3.29.1 Sandbox Issue",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.580253"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/superboy-zjc/1fc4747a0ac77a1edc8c32e1d4edc54c"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-29T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-29T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-01T06:41:59.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "aimhubio aim run_view Object query.py RestrictedPythonQuery privilege escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-5321",
        "datePublished": "2025-05-29T15:00:06.375Z",
        "dateReserved": "2025-05-29T08:11:11.324Z",
        "dateUpdated": "2025-06-01T04:39:53.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8863 (GCVE-0-2024-8863)

    Vulnerability from cvelistv5 – Published: 2024-09-14 23:00 – Updated: 2024-09-16 14:13
    VLAI
    Title
    aimhubio aim Text Explorer textbox.tsx dangerouslySetInnerHTML cross site scripting
    Summary
    A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.277500 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.277500 signaturepermissions-required
    https://vuldb.com/?submit.403203 third-party-advisory
    https://rumbling-slice-eb0.notion.site/Stored-XSS… exploit
    Impacted products
    Vendor Product Version
    aimhubio aim Affected: 3.0
    Affected: 3.1
    Affected: 3.2
    Affected: 3.3
    Affected: 3.4
    Affected: 3.5
    Affected: 3.6
    Affected: 3.7
    Affected: 3.8
    Affected: 3.9
    Affected: 3.10
    Affected: 3.11
    Affected: 3.12
    Affected: 3.13
    Affected: 3.14
    Affected: 3.15
    Affected: 3.16
    Affected: 3.17
    Affected: 3.18
    Affected: 3.19
    Affected: 3.20
    Affected: 3.21
    Affected: 3.22
    Affected: 3.23
    Affected: 3.24
    Create a notification for this product.
    aimhubio aim Affected: 3.0.0 , ≤ 3.2.4 (custom)
        cpe:2.3:a:aimhubio:aim:3.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    aftersnow (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:aimhubio:aim:3.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "aim",
                "vendor": "aimhubio",
                "versions": [
                  {
                    "lessThanOrEqual": "3.2.4",
                    "status": "affected",
                    "version": "3.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8863",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T14:12:24.322305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T14:13:21.333Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Text Explorer"
              ],
              "product": "aim",
              "vendor": "aimhubio",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0"
                },
                {
                  "status": "affected",
                  "version": "3.1"
                },
                {
                  "status": "affected",
                  "version": "3.2"
                },
                {
                  "status": "affected",
                  "version": "3.3"
                },
                {
                  "status": "affected",
                  "version": "3.4"
                },
                {
                  "status": "affected",
                  "version": "3.5"
                },
                {
                  "status": "affected",
                  "version": "3.6"
                },
                {
                  "status": "affected",
                  "version": "3.7"
                },
                {
                  "status": "affected",
                  "version": "3.8"
                },
                {
                  "status": "affected",
                  "version": "3.9"
                },
                {
                  "status": "affected",
                  "version": "3.10"
                },
                {
                  "status": "affected",
                  "version": "3.11"
                },
                {
                  "status": "affected",
                  "version": "3.12"
                },
                {
                  "status": "affected",
                  "version": "3.13"
                },
                {
                  "status": "affected",
                  "version": "3.14"
                },
                {
                  "status": "affected",
                  "version": "3.15"
                },
                {
                  "status": "affected",
                  "version": "3.16"
                },
                {
                  "status": "affected",
                  "version": "3.17"
                },
                {
                  "status": "affected",
                  "version": "3.18"
                },
                {
                  "status": "affected",
                  "version": "3.19"
                },
                {
                  "status": "affected",
                  "version": "3.20"
                },
                {
                  "status": "affected",
                  "version": "3.21"
                },
                {
                  "status": "affected",
                  "version": "3.22"
                },
                {
                  "status": "affected",
                  "version": "3.23"
                },
                {
                  "status": "affected",
                  "version": "3.24"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "aftersnow (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine Schwachstelle in aimhubio aim bis 3.24 gefunden. Sie wurde als problematisch eingestuft. Es betrifft die Funktion dangerouslySetInnerHTML der Datei textbox.tsx der Komponente Text Explorer. Durch die Manipulation des Arguments query mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-14T23:00:05.339Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-277500 | aimhubio aim Text Explorer textbox.tsx dangerouslySetInnerHTML cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.277500"
            },
            {
              "name": "VDB-277500 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.277500"
            },
            {
              "name": "Submit #403203 | aimhubio aim \u003c=3.24 Stored XSS",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.403203"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://rumbling-slice-eb0.notion.site/Stored-XSS-through-TEXT-EXPLORER-in-aimhubio-aim-d0f07b7194724950a673498546d80d43?pvs=4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2024-09-14T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-09-14T07:54:47.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "aimhubio aim Text Explorer textbox.tsx dangerouslySetInnerHTML cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2024-8863",
        "datePublished": "2024-09-14T23:00:05.339Z",
        "dateReserved": "2024-09-14T05:49:44.253Z",
        "dateUpdated": "2024-09-16T14:13:21.333Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43775 (GCVE-0-2021-43775)

    Vulnerability from cvelistv5 – Published: 2021-11-23 19:15 – Updated: 2024-08-04 04:03
    VLAI
    Title
    Arbitrary file reading vulnerability in Aim
    Summary
    Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    aimhubio aim Affected: < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:03:08.638Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/issues/999"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/pull/1003"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "aim",
              "vendor": "aimhubio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u201cdot-dot-slash (../)\u201d sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-23T19:15:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/issues/999"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/pull/1003"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
            }
          ],
          "source": {
            "advisory": "GHSA-8phj-f9w2-cjcc",
            "discovery": "UNKNOWN"
          },
          "title": "Arbitrary file reading vulnerability in Aim",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-43775",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary file reading vulnerability in Aim"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "aim",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 3.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "aimhubio"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u201cdot-dot-slash (../)\u201d sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
                },
                {
                  "name": "https://github.com/aimhubio/aim/issues/999",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/issues/999"
                },
                {
                  "name": "https://github.com/aimhubio/aim/pull/1003",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/pull/1003"
                },
                {
                  "name": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
                },
                {
                  "name": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16",
                  "refsource": "MISC",
                  "url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-8phj-f9w2-cjcc",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-43775",
        "datePublished": "2021-11-23T19:15:13.000Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-08-04T04:03:08.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }