{"id":"GHSA-mxvw-cj37-8g2h","summary":"Aim Web API vulnerable to Remote Code Execution","details":"A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions \u003e= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.","aliases":["CVE-2024-2195"],"modified":"2024-10-25T19:24:33.756384Z","published":"2024-04-10T18:30:48Z","database_specific":{"nvd_published_at":"2024-04-10T17:15:54Z","github_reviewed_at":"2024-04-10T22:19:53Z","cwe_ids":["CWE-94"],"github_reviewed":true,"severity":"CRITICAL"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2195"},{"type":"PACKAGE","url":"https://github.com/aimhubio/aim"},{"type":"WEB","url":"https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018"}],"affected":[{"package":{"name":"aim","ecosystem":"PyPI","purl":"pkg:pypi/aim"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0"},{"last_affected":"3.25.0"}]}],"versions":["3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.1.0","3.1.1","3.10.0","3.10.0.dev9","3.10.1","3.10.2","3.10.3","3.11.0","3.11.0.dev4","3.11.1","3.11.1.dev1","3.11.2","3.12.0","3.12.0.dev2","3.12.1","3.12.2","3.13.0","3.13.1","3.13.2","3.13.3","3.13.4","3.14.0","3.14.1","3.14.2","3.14.3","3.14.4","3.15.0","3.15.1","3.15.2","3.16.0","3.16.1","3.16.2","3.17.0","3.17.1","3.17.2","3.17.3","3.17.4","3.17.5","3.17.5rc1","3.17.5rc2","3.17.5rc3","3.17.5rc4","3.18.0","3.18.0.dev2","3.18.0.dev3","3.18.0.dev4","3.18.0.dev5","3.18.1","3.19.0","3.19.1","3.19.2","3.19.3","3.2.0","3.2.1","3.2.2","3.20.1","3.21.0","3.22.0","3.23.0","3.24.0","3.25.0","3.25.0.dev20240814","3.25.0.dev20240815","3.25.0.dev20240816","3.25.0.dev20240817","3.25.0.dev20240818","3.25.0.dev20240819","3.25.0.dev20240820","3.25.0.dev20240821","3.25.0.dev20240822","3.25.0.dev20240823","3.25.0.dev20240824","3.25.0.dev20240825","3.25.0.dev20240826","3.25.0.dev20240827","3.25.0.dev20240828","3.25.0.dev20240829","3.25.0.dev20240830","3.25.0.dev20240831","3.25.0.dev20240901","3.25.0.dev20240927","3.25.0.dev20240928","3.25.0.dev20240929","3.25.0.dev20240930","3.25.0.dev20241001","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.4.0","3.4.1","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.6.0","3.6.1","3.6.2","3.6.3","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.8.0","3.8.1","3.9.0a1","3.9.0a14","3.9.2","3.9.3","3.9.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-mxvw-cj37-8g2h/GHSA-mxvw-cj37-8g2h.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}