PYSEC-2021-839
Vulnerability from pysec - Published: 2021-11-23 21:15 - Updated: 2021-12-13 06:35
VLAI?
Details
Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)� sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.
Impacted products
| Name | purl | aim | pkg:pypi/aim |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aim",
"purl": "pkg:pypi/aim"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.19",
"2.0.20",
"2.0.20rc1",
"2.0.20rc2",
"2.0.21",
"2.0.21rc1",
"2.0.22",
"2.0.22rc1",
"2.0.22rc2",
"2.0.22rc3",
"2.0.23",
"2.0.24",
"2.0.25",
"2.0.26",
"2.0.27",
"2.0.27rc2",
"2.0.27rc3",
"2.0.27rc4",
"2.0.27rc5",
"2.1.0",
"2.1.1",
"2.1.1rc1",
"2.1.1rc6",
"2.1.2",
"2.1.3",
"2.1.4",
"2.1.5",
"2.1.5rc1",
"2.1.6",
"2.2.0",
"2.2.1",
"2.3.0",
"2.3.0rc1",
"2.3.0rc2",
"2.3.0rc3",
"2.4.0",
"2.5.0",
"2.5.0rc1",
"2.5.0rc2",
"2.5.0rc3",
"2.5.0rc4",
"2.5.0rc5",
"2.5.0rc6",
"2.5.0rc7",
"2.6.0",
"2.6.0rc1",
"2.7.0",
"2.7.0rc1",
"2.7.1",
"2.7.1rc1",
"2.7.2",
"2.7.3",
"2.7.4",
"2.7.4rc1",
"3.0.0",
"3.0.0a1",
"3.0.0a2",
"3.0.0a3",
"3.0.0a4",
"3.0.0b1",
"3.0.0b2",
"3.0.0b3",
"3.0.0b4",
"3.0.0b5",
"3.0.0b6",
"3.0.0b6.dev1",
"3.0.0b7",
"3.0.0b7.dev1",
"3.0.0b7.dev2",
"3.0.0b7.dev3",
"3.0.0b7.dev4",
"3.0.0rc1",
"3.0.0rc10",
"3.0.0rc2",
"3.0.0rc3",
"3.0.0rc4",
"3.0.0rc7",
"3.0.0rc8",
"3.0.0rc9",
"3.0.1",
"3.0.2",
"3.0.3",
"3.0.4",
"3.0.5",
"3.0.6",
"3.0.7",
"3.1.0rc1"
]
}
],
"aliases": [
"CVE-2021-43775",
"GHSA-8phj-f9w2-cjcc"
],
"details": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u00e2\u20ac\u0153dot-dot-slash (../)\u00e2\u20ac? sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0.",
"id": "PYSEC-2021-839",
"modified": "2021-12-13T06:35:02.857370Z",
"published": "2021-11-23T21:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://github.com/aimhubio/aim/issues/999"
},
{
"type": "ADVISORY",
"url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc"
},
{
"type": "WEB",
"url": "https://github.com/aimhubio/aim/pull/1003"
},
{
"type": "WEB",
"url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16"
},
{
"type": "WEB",
"url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…