CVE-2024-8769

Name of the Vulnerable Software and Affected Versions aimhubio/aim version bb76afe

Description A vulnerability in the LockManager.release locks function allows for arbitrary file deletion through relative path traversal. The run hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo. close run() method, accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Recommendations As a temporary workaround, consider disabling the LockManager.release locks function until a patch is available. Restrict access to the Repo. close run() method to minimize the risk of exploitation. Avoid using the run hash parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.