A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the `run_hash` and `repo.path` parameters, which can be manipulated to create and write to arbitrary file paths. This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution.
The vulnerability results from improper handling of the `run_hash` and `repo.path` parameters in the `_backup_run` function. An attacker can manipulate these parameters to point to arbitrary file paths on the server (path traversal, CWE-29). This allows creating and writing content to arbitrary locations in the file system without authorization, as well as reading and exfiltrating stored data.
An attacker can overwrite critical system files leading to denial of service (DoS), steal sensitive data stored on the server, or achieve remote code execution (RCE) by replacing executable or configuration files.
Apply patches available from the vendor according to the references. As an interim remedial action, it is recommended to restrict network access to Aim instances only to trusted IP addresses and monitor the integrity of critical system files.
Aimstack Aim version 3.19.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAimstack Aim
APPAimstack3.19.3
Related vulnerabilities
Aimstack Aim: path traversal umożliwiający usunięcie dowolnego pliku
Path traversal w Aimstack Aim – zapis plików w dowolnej lokalizacji serwera
CSRF w Aimstack Aim — łańcuch podatności z RCE i DoS
RCE w Aimstack Aim – wykonanie kodu przez parametr query w API
Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the s...