CVE-2024-8238

Name of the Vulnerable Software and Affected Versions aimhubio/aim version 3.22.0

Description The AimQL query language in aimhubio/aim uses an outdated version of the safer getattr() function from RestrictedPython, which does not protect against the str.format map() method. This allows an attacker to leak server-side secrets or potentially gain unrestricted code execution by reading arbitrary attributes of Python objects, including sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.

Recommendations For version 3.22.0, consider updating the safer getattr() function from RestrictedPython to a version that protects against the str.format map() method to prevent potential code execution and sensitive data leakage. As a temporary workaround, restrict access to sensitive variables and limit the ability to write files to known locations on the Aim server.