QID 980005

QID 980005: Python (pip) Security Update for aim (GHSA-8phj-f9w2-cjcc)

Security update has been released for aim to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with dot-dot-slash (../) sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Vulnerable code: https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16

  • CVSS V3 rated as Critical - 8.6 severity.
  • CVSS V2 rated as Medium - 5 severity.
  • Solution
    The vulnerability issue is resolved in Aim v3.1.0.
    Vendor References

    CVEs related to QID 980005

    Software Advisories
    Advisory ID Software Component Link
    GHSA-8phj-f9w2-cjcc aim URL Logo github.com/advisories/GHSA-8phj-f9w2-cjcc