AVID-2026-R1586

Description

Arbitrary File Overwrite and Data Exfiltration in aimhubio/aim (CVE-2024-6396)

Details

A vulnerability in the _backup_run function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the run_hash and repo.path parameters, which can be manipulated to create and write to arbitrary file paths. This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution.

Reason for inclusion in AVID: The CVE describes a high-severity remote file overwrite and data exfiltration vulnerability in aimhubio/aim, a software component used in ML/AI workflows (experiment tracking/deployment tooling). This affects the software supply chain of general-purpose AI systems since it targets a runtime/tooling component commonly used in building, training, packaging, deploying, or serving AI models. The vulnerability enables file path manipulation leading to potential RCE, data exfiltration, and DoS, with explicit CVSS 3.0 details and CWE-29 path traversal. Sufficient signal is provided to classify and curate.

References

• NVD entry
• https://huntr.com/bounties/c1b17afd-4656-47bb-8310-686a9e1b04a0

Affected or Relevant Artifacts

• Developer: aimhubio
• Deployer: aimhubio
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-07-12
• Version: 0.3.3
• AVID Entry