GHSA-75px-35p4-qq6h

Source

https://github.com/advisories/GHSA-75px-35p4-qq6h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-75px-35p4-qq6h/GHSA-75px-35p4-qq6h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-75px-35p4-qq6h

Aliases

CVE-2024-6829

Published

2025-03-20T12:32:45Z

Modified

2025-03-21T19:23:50.923647Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

Aim External Control of File Name or Path vulnerability

Details

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the tarfile.extractall() function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control repo.path and run_hash to bypass directory existence checks and extract files to unintended locations, potentially overwriting critical files. This can lead to arbitrary data being written to arbitrary locations on the remote tracking server, which could be used for further attacks such as writing a new SSH key to the target server.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T18:57:32Z",
    "severity": "CRITICAL",
    "nvd_published_at": "2025-03-20T10:15:33Z",
    "cwe_ids": [
        "CWE-73"
    ]
}

References

Affected packages

PyPI / aim

Package

Name: aim; View open source insights on deps.dev
Purl: pkg:pypi/aim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.19.3

Affected versions

2.*

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.1.0

3.1.1

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.8.0

3.8.1

3.9.0a1

3.9.0a14

3.9.2

3.9.3

3.9.4

3.10.0.dev9

3.10.0

3.10.1

3.10.2

3.10.3

3.11.0.dev4

3.11.0

3.11.1.dev1

3.11.1

3.11.2

3.12.0.dev2

3.12.0

3.12.1

3.12.2

3.13.0

3.13.1

3.13.2

3.13.3

3.13.4

3.14.0

3.14.1

3.14.2

3.14.3

3.14.4

3.15.0

3.15.1

3.15.2

3.16.0

3.16.1

3.16.2

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.17.5rc1

3.17.5rc2

3.17.5rc3

3.17.5rc4

3.17.5

3.18.0.dev2

3.18.0.dev3

3.18.0.dev4

3.18.0.dev5

3.18.0

3.18.1

3.19.0

3.19.1

3.19.2

3.19.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-75px-35p4-qq6h/GHSA-75px-35p4-qq6h.json"