We use cookies to improve your experience on our site.
AVID-2026-R1419
Description
Remote Code Execution in aimhubio/aim (CVE-2024-2195)
Details
A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.
Reason for inclusion in AVID: This CVE describes a remote code execution vulnerability in an AI tooling component (aimhubio/aim) with a direct impact on AI software stacks. The vulnerable API is part of an AI experiment-tracking/automation workflow, and exploitation could compromise systems deploying general-purpose AI applications. Therefore it concerns AI/ML tooling and the software supply chain for AI systems.
References
Affected or Relevant Artifacts
- Developer: aimhubio
- Deployer: aimhubio
- Artifact Details:
| Type | Name |
|---|---|
| System | aimhubio/aim |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 9.8 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-04-10
- Version: 0.3.3
- AVID Entry