Home » Database

AVID-2026-R1633

Description

Directory Traversal in polyaxon/polyaxon (CVE-2024-9362)

Details

An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. This vulnerability allows an attacker to retrieve directory information and file contents from the server without proper authorization, leading to sensitive information disclosure. The issue enables access to system directories such as /etc, potentially resulting in significant security risks.

Reason for inclusion in AVID: CVE-2024-9362 describes an unauthenticated directory traversal vulnerability in Polyaxon, a platform used to build, train, deploy, and manage AI/ML workflows. This vulnerability enables unauthorized access to server filesystem data, which can lead to information disclosure within AI pipelines. As Polyaxon is part of the software stack in general-purpose AI systems (dependencies/runtime for ML workflows), this is a software supply-chain vulnerability relevant to GP AI systems. It is clearly AI-related and security-related, with sufficient public evidence (CVE entry and CVSS details).

References

Affected or Relevant Artifacts

  • Developer: polyaxon
  • Deployer: polyaxon
  • Artifact Details:
TypeName
Systempolyaxon/polyaxon

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score7.5
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity ImpactNONE
Availability ImpactNONE

CWE

IDDescription
CWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-03-20
  • Version: 0.3.3
  • AVID Entry