CVE-2024-8769

CRITICAL Year: 2024
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-29
View all →

Vulnerability Description

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Related Vulnerabilities

CVE-2024-5211

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend against path traversal attacks. This vulnerability enables t...

CWE-292024

CVE-2024-5926

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue i...

CWE-292024

CVE-2024-7957

CRITICAL
CVSS:9.1(Critical)

An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the load_credentials method, where user-contro...

CWE-292024

CVE-2024-8537

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete ar...

CWE-292024

CVE-2024-3573

CRITICAL
CVSS:9.3(Critical)

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_loc...

CWE-292024

CVE-2024-11170

HIGH
CVSS:8.8(High)

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and po...

CWE-292024