Lucene search
+L

545 matches found

Snyk
Snyk
added 2025/03/20 12:32 p.m.3 views

Relative Path Traversal

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Relative Path Traversal through the runs/delete-batch endpoint. An attacker can delete arbitrary files or directories, potentially causing denial of service or data...

6.9CVSS7AI score0.00814EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.5 views

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-6483 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-6483 Source advisory: SNYK:PYTHON-AIM-9511134...

5.3CVSS5.8AI score0.00814EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.3 views

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-12778 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-12778 Source advisory: SNYK:PYTHON-AIM-9511127...

7.5CVSS7.1AI score0.00727EPSS
Exploits1
Snyk
Snyk
added 2025/03/20 12:32 p.m.3 views

Denial of Service (DoS)

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Denial of Service DoS by sending a large number of requests to retrieve tracked metrics simultaneously. This excessive load results in uncontrolled resource consumpti...

8.7CVSS7AI score0.00727EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.8 views

dsipts (>=1.1.5 <=1.1.19), llm-toys (=0.1.1) +2 more potentially affected by CVE-2024-12778 via aim (>=3.17.4 <=3.20.1)

aim PYPI version =3.17.4, =1.1.5, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2024-12778 Source advisory: OSV:GHSA-35P3-6J45-PRWM...

7.5CVSS7AI score0.00727EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.12 views

llm-toys (=0.1.1), tcbench (>=0.0.20 <=0.0.22) +1 more potentially affected by CVE-2024-6483 via aim (>=3.17.4 <=3.19.3)

aim PYPI version =3.17.4, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2024-6483 Source advisory: OSV:GHSA-P6X3-V6G3-7557...

5.3CVSS6AI score0.00814EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2025/03/20 12:32 p.m.13 views

Aim Uncontrolled Resource Consumption vulnerability

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service DoS attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number o...

7.5CVSS6.7AI score0.00727EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2025/03/20 12:32 p.m.1 views

GHSA-P6X3-V6G3-7557 Aim Relative Path Traversal vulnerability

A vulnerability in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion...

5.3CVSS6AI score0.00814EPSS
Exploits1References3
OSV
OSV
added 2025/03/20 12:32 p.m.7 views

GHSA-35P3-6J45-PRWM Aim Uncontrolled Resource Consumption vulnerability

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service DoS attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number o...

7.5CVSS7.1AI score0.00727EPSS
Exploits1References3
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.6 views

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-12777 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-12777 Source advisory: SNYK:PYTHON-AIM-9511133...

5.9CVSS6.2AI score0.00442EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.6 views

dsipts (>=1.1.5 <=1.1.19), llm-toys (=0.1.1) +2 more potentially affected by CVE-2024-12777 via aim (>=3.17.4 <=3.20.1)

aim PYPI version =3.17.4, =1.1.5, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2024-12777 Source advisory: OSV:GHSA-V5PJ-JRPV-H6G2...

5.9CVSS6.2AI score0.00442EPSS
Exploits1
OSV
OSV
added 2025/03/20 12:32 p.m.4 views

GHSA-V5PJ-JRPV-H6G2 Aim vulnerable to Synchronous Access of Remote Resource without Timeout

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting ...

5.9CVSS7AI score0.00442EPSS
Exploits1References4
Snyk
Snyk
added 2025/03/20 12:32 p.m.4 views

Denial of Service (DoS)

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Denial of Service DoS due to the ScheduledStatusReporter object being instantiated to run on the main thread of the tracking server. An attacker can block the main...

8.7CVSS7.1AI score0.00588EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.9 views

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-10110 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-10110 Source advisory: SNYK:PYTHON-AIM-9511139...

7.5CVSS7.1AI score0.00588EPSS
Exploits1
OSV
OSV
added 2025/03/20 12:32 p.m.5 views

GHSA-FX47-JPV9-7HXR Aim Vulnerable to Denial of Service (DoS)

In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests...

7.5CVSS7AI score0.00588EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2025/03/20 12:32 p.m.10 views

dsipts (>=1.1.5 <=1.1.19), llm-toys (=0.1.1) +2 more potentially affected by CVE-2024-10110 via aim (>=3.17.4 <=3.20.1)

aim PYPI version =3.17.4, =1.1.5, =0.0.20, =0.1.0, =0.5.6 Source cves: CVE-2024-10110 Source advisory: OSV:GHSA-FX47-JPV9-7HXR...

7.5CVSS7AI score0.00588EPSS
Exploits1
Snyk
Snyk
added 2025/03/20 10:49 a.m.4 views

Cross-site Request Forgery (CSRF)

Overview aim is a super-easy way to record, search and compare AI experiments. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to overly permissive CORS settings that allow cross-origin requests from all origins. An attacker can manipulate the state of the...

9.6CVSS6.7AI score0.00474EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2025/03/20 10:49 a.m.11 views

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-7760 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-7760 Source advisory: SNYK:PYTHON-AIM-9637809...

9.6CVSS7.1AI score0.00474EPSS
Exploits1
NVD
NVD
added 2025/03/20 10:15 a.m.21 views

CVE-2024-8769

A vulnerability in the LockManager.releaselocks function in aimhubio/aim commit bb76afe allows for arbitrary file deletion through relative path traversal. The runhash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. Thi...

9.1CVSS0.00849EPSS
Exploits1References1
NVD
NVD
added 2025/03/20 10:15 a.m.7 views

CVE-2024-6851

In version 3.22.0 of aimhubio/aim, the LocalFileManager.cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted...

7.5CVSS0.00953EPSS
Exploits1References1
Rows per page
Query Builder