CVE-2024-6396

A vulnerability in the _backup_run function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the run_hash and repo.path parameters, which can be manipulated to create a...

CVE-2024-6227

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections.

CVE-2024-6829

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the tarfile.extractall() function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control repo.path and run_hash to bypass directory existence checks and...

CVE-2024-6578

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML fun...

CVE-2024-6483

A vulnerability in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. T...