Vulnerability in Aimhubio Aim with Outdated Python Functionality
CVE-2024-8238

5.9MEDIUM

Key Information:

Vendor: Aimhubio
Status: Aimhubio/aim
Vendor: CVE Published:; 20 March 2025

Summary

In version 3.22.0 of Aimhubio Aim, the AimQL query language incorporates a legacy version of the safer_getattr() function from RestrictedPython, which is not designed to mitigate the risks associated with the str.format_map() method. This vulnerability allows attackers to leak sensitive information from the server or even execute arbitrary code. By leveraging the ability of str.format_map() to access various attributes of Python objects, malicious actors can disclose critical variables, including environmental settings. If an attacker has write access to a specific location on the Aim server, they can exploit this weakness to load a harmful .dll or .so file, gaining unrestricted access to execute code within the Python interpreter.

Affected Version(s)

aimhubio/aim <= unspecified

References

https://huntr.com/bounties/4e140ef9-f6d1-4e68-a44c-3b9e85...

CVSS V3.0

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 27, 2024