GHSA-8phj-f9w2-cjcc

Suggest an improvement
Source
https://github.com/advisories/GHSA-8phj-f9w2-cjcc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-8phj-f9w2-cjcc/GHSA-8phj-f9w2-cjcc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8phj-f9w2-cjcc
Aliases
Published
2021-11-23T22:03:23Z
Modified
2024-11-20T05:24:05.401097Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
  • 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
Arbitrary file reading vulnerability in Aim
Details

Impact

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Vulnerable code: https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16

Patches

The vulnerability issue is resolved in Aim v3.1.0.

References

https://owasp.org/www-community/attacks/Path_Traversal

Database specific 
{
    "nvd_published_at": "2021-11-23T21:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-23T18:48:09Z"
}
References

Affected packages

PyPI / aim

Package

Name
aim
View open source insights on deps.dev
Purl
pkg:pypi/aim

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0

Affected versions

2.*

2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7