A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HAimstack Aim
APPAimstack< 3.24.0
Related vulnerabilities
CSRF w Aimstack Aim — łańcuch podatności z RCE i DoS
Path traversal w Aimstack Aim – zapis plików w dowolnej lokalizacji serwera
Nadpisywanie plików i RCE w Aimstack Aim przez funkcję _backup_run
RCE w Aimstack Aim – wykonanie kodu przez parametr query w API
Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the s...