CVE-2024-2195

Name of the Vulnerable Software and Affected Versions: aimhubio/aim versions >= 3.0.0

Description: A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the "/api/runs/search/run/" endpoint. The vulnerability resides in the run search api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

Recommendations: As a temporary workaround, consider disabling the run search api function until a patch is available. Restrict access to the /api/runs/search/run/ endpoint to minimize the risk of exploitation. Avoid using the query parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.