A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.
The vulnerability affects the `run_search_api` function in the file `aim/web/api/runs/views.py`. Improper access restriction for the user to the `RunView` object causes the `query` parameter passed over the network to not be properly validated or sanitized. An attacker can place malicious code in this parameter, which will be executed directly on the server. The attack vector is network-based, requires no authentication or user interaction, making this vulnerability particularly dangerous.
An attacker can execute arbitrary commands on the server hosting the Aim application, which could result in complete system compromise, including data theft, malware installation, or further lateral movement in the network.
Patches available from the vendor should be applied according to references. Additionally, it is recommended to restrict network access to the `/api/runs/search/run/` endpoint using firewall or access control mechanisms until the update is deployed.
Aimstack Aim in versions >= 3.0.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAimstack Aim
APPAimstack≥ 3.0.0
Related vulnerabilities
CSRF w Aimstack Aim — łańcuch podatności z RCE i DoS
Path traversal w Aimstack Aim – zapis plików w dowolnej lokalizacji serwera
Aimstack Aim: path traversal umożliwiający usunięcie dowolnego pliku
Nadpisywanie plików i RCE w Aimstack Aim przez funkcję _backup_run
Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the s...