CVE-2024-6851

Name of the Vulnerable Software and Affected Versions aimhubio/aim version 3.22.0

Description The issue concerns the LocalFileManager. cleanup function in the aim tracking server, which accepts a user-specified glob-pattern for deleting files. This function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted glob-pattern to lead to arbitrary file deletion.

Recommendations For aimhubio/aim version 3.22.0, consider restricting access to the LocalFileManager. cleanup function until a patch is available, or apply configuration changes to limit the scope of file deletion operations. As a temporary workaround, avoid using user-specified glob-patterns in the aim tracking server to minimize the risk of exploitation.