Skip to content

Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations

High severity GitHub Reviewed Published Apr 10, 2024 to the GitHub Advisory Database • Updated Apr 10, 2024

Package

pip aim (pip)

Affected versions

<= 3.17.5

Patched versions

None

Description

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.

References

Published by the National Vulnerability Database Apr 10, 2024
Published to the GitHub Advisory Database Apr 10, 2024
Reviewed Apr 10, 2024
Last updated Apr 10, 2024

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2024-2196

GHSA ID

GHSA-99w2-67h8-5948

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.