CVE-2024-6483
📋 TL;DR
This vulnerability allows attackers to delete arbitrary files or directories on systems running aimhubio/aim version 3.19.3 through path traversal in the runs/delete-batch endpoint. Attackers can exploit this to cause denial of service or data loss by deleting critical system files. Organizations using aim version 3.19.3 with the vulnerable endpoint exposed are affected.
💻 Affected Systems
- aimhubio/aim
📦 What is this software?
Aim by Aimstack
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical operating system files, leading to permanent data loss and system unavailability.
Likely Case
Deletion of application data, configuration files, or logs causing service disruption and data loss within the aim application.
If Mitigated
Limited impact to non-critical files if proper access controls and file permissions are configured.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.19.4 or later
Vendor Advisory: https://huntr.com/bounties/dc45d480-e579-4af4-8603-c52ecfd5e363
Restart Required: Yes
Instructions:
1. Check current aim version: pip show aim
2. Upgrade to version 3.19.4 or later: pip install --upgrade aim==3.19.4
3. Restart the aim service or application
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock or disable access to the runs/delete-batch endpoint
# Configure web server/firewall to block /runs/delete-batch
# Example nginx: location /runs/delete-batch { deny all; }
Implement input validation
allAdd path traversal validation before processing run-names
# In application code, validate run-name inputs
# Example Python: if '..' in run_name or '/' in run_name: raise ValueError
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the aim API endpoints
- Configure file system permissions to restrict deletion capabilities of the aim process
🔍 How to Verify
Check if Vulnerable:
Check if aim version is 3.19.3 and the runs/delete-batch endpoint accepts path traversal sequences like '../../etc/passwd' in run-name parametersCheck Version:
pip show aim | grep VersionVerify Fix Applied:
After upgrading, test that path traversal attempts in run-name parameters are rejected and no longer allow arbitrary file deletion📡 Detection & Monitoring
Log Indicators:
- Unusual delete operations in aim logs
- Failed path traversal attempts in application logs
- Multiple delete requests with suspicious run-names
Network Indicators:
- HTTP requests to /runs/delete-batch with path traversal sequences in parameters
- Unusual patterns of delete API calls
SIEM Query:
source="aim_logs" AND (uri_path="/runs/delete-batch" AND (param=".." OR param="/"))