<p>There is no fixed version for <code>aim</code>.</p>

Improper Control of Generation of Code ('Code Injection') Affecting aim package, versions [3.0.0,]

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-AIM-6595943
published 11 Apr 2024
disclosed 10 Apr 2024
credit Ahmed Yasser Merzouk Bensellou

Report a new vulnerability Found a mistake?

Introduced: 10 Apr 2024

New CVE-2024-2195 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

There is no fixed version for aim.

Overview

aim is a super-easy way to record, search and compare AI experiments.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to improper restriction of user access to the RunView object. An attacker can execute arbitrary commands on the server, potentially leading to full system compromise by exploiting the query parameter in the /api/runs/search/run/ endpoint.

PoC

run.run.dataframe().query("@run.run.__class__.__init__.__globals__['logging'].os.system('id')")

References

GitHub Advisory