Arbitrary File Deletion Vulnerability in Aimhubio's Tracking Server
CVE-2024-6851

7.5HIGH

Key Information:

Vendor: Aimhubio
Status: Aimhubio/aim
Vendor: CVE Published:; 20 March 2025

Summary

In version 3.22.0 of aimhubio's aim, the LocalFileManager._cleanup function permits the use of user-defined glob patterns for file deletion. This design flaw allows attackers to specify malicious glob patterns that can result in the deletion of files outside the designated directory managed by LocalFileManager. The lack of validation ensures that unauthorized and potentially destructive file operations can be executed, posing significant risks to the integrity and availability of data.

Affected Version(s)

aimhubio/aim <= unspecified

References

https://huntr.com/bounties/839703fb-23b7-4dc4-ae81-44cd47...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jul 17, 2024