CVE-2021-43775

{"id": "CVE-2021-43775", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2021-11-23T21:15:20.347", "references": [{"url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/aimhubio/aim/issues/999", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/aimhubio/aim/pull/1003", "tags": ["Patch", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/aimhubio/aim/blob/0b99c6ca08e0ba7e7011453a2f68033e9b1d1bce/aim/web/api/views.py#L9-L16", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/aimhubio/aim/issues/999", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/aimhubio/aim/pull/1003", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/aimhubio/aim/pull/1003/commits/f01266a1a479ef11d7d6c539e7dd89e9d5639738", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/aimhubio/aim/security/advisories/GHSA-8phj-f9w2-cjcc", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with \u201cdot-dot-slash (../)\u201d sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. The vulnerability issue is resolved in Aim v3.1.0."}, {"lang": "es", "value": "Aim es una herramienta de seguimiento de experimentos de aprendizaje autom\u00e1tico de c\u00f3digo abierto. Las versiones de Aim anteriores a la 3.1.0 son vulnerables a un ataque de salto de ruta. Mediante la manipulaci\u00f3n de variables que hacen referencia a archivos con secuencias \u201cdot-dot-slash (../)\u201d y sus variaciones o mediante el uso de rutas de archivo absolutas, puede ser posible acceder a archivos y directorios arbitrarios almacenados en el sistema de archivos, incluyendo el c\u00f3digo fuente de la aplicaci\u00f3n o la configuraci\u00f3n y los archivos cr\u00edticos del sistema. El problema de la vulnerabilidad ha sido resuelto en Aim versi\u00f3n v3.1.0"}], "lastModified": "2024-11-21T06:29:45.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aimstack:aim:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "AE237926-EEBB-4E1F-9F74-FB5845332FC8", "versionEndExcluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}