9.8

CVSS Score

Basic Information

CVE ID

CVE-2024-2195

GHSA ID

GHSA-mxvw-cj37-8g2h

EPSS Score

CWE

CWE-94

Published

4/10/2024

Updated

10/25/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-2195

CVE-2024-2195:
Aim Web API vulnerable to Remote Code Execution

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions >= 3.0.0. The vulnerability resides in the run_search_api function of the aim/web/api/runs/views.py file, where improper restriction of user access to the RunView object allows for the execution of arbitrary code via the query parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2024-2195

GHSA ID

GHSA-mxvw-cj37-8g2h

EPSS Score

CWE

CWE-94

Published

4/10/2024

Updated

10/25/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
aim	pip	>= 3.0.0, <= 3.25.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the run_search_api function in aim/web/api/runs/views.py as the location of the RCE flaw. The function's handling of the 'query' parameter with insufficient access controls to the RunView object creates an injection vector. Multiple authoritative sources (GitHub Advisory, NVD, huntr) consistently reference this function as the attack surface. The CWE-94 classification confirms this is a direct code injection scenario rather than a configuration or dependency issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *riti**l R*mot* *o** *x**ution (R**) vuln*r**ility w*s i**nti*i** in t** *im*u*io/*im proj**t, sp**i*i**lly wit*in t** `/*pi/runs/s**r**/run/` *n*point, *****tin* v*rsions >= *.*.*. T** vuln*r**ility r*si**s in t** `run_s**r**_*pi` *un*tion o* t**

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** run_s**r**_*pi *un*tion in *im/w**/*pi/runs/vi*ws.py *s t** lo**tion o* t** R** *l*w. T** *un*tion's **n*lin* o* t** 'qu*ry' p*r*m*t*r wit* insu**i*i*nt ****ss *ontrols to t** RunVi*w o*j**t *r*

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-2195: Aim Web API vulnerable to Remote Code Execution

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-2195:
Aim Web API vulnerable to Remote Code Execution

Vulnerability Intelligence
Miggo AI