cbcvebase.
CVE-2024-6396
published 2024-07-12

CVE-2024-6396: A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate…

PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.39%
98.9th percentile
A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the `run_hash` and `repo.path` parameters, which can be manipulated to create and write to arbitrary file paths. This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
aimhubioaimhubio_aimunspecified – latest
aimstackaim

Detection & IOCsextracted from sources · hover to see the quote

url/tracking/client_1/get-resource
url/tracking/client_1/read-instruction
path../../../../usr/local/lib/python3.9/site-packages/aim_ui/build/
url/static-files/
port43800
othericon_hash=-1047157256
otherAAAAAAABAAAABw==
bytes
000000000001000000060a000000fe0000000000000000fe004b000000042e2e2f2e2e2f2e2e2f2e2e2f7573722f6c6f63616c2f6c69622f707974686f6e332e392f736974652d7061636b616765732f61696d5f75692f6275696c642f
  • Monitor for POST requests to /tracking/client_1/get-resource with resource_type 'Repo' as the first stage of the two-step exploit chain
  • Alert on successful exploitation by detecting GET requests to /static-files/*.txt on port 43800 following a _backup_run call, which indicates successful file write and exfiltration
  • Inspect base64-decoded args in _backup_run requests for path traversal payloads targeting site-packages directories (e.g., aim_ui/build/)
  • Confirm a vulnerable Aim server instance via FOFA using icon hash -1047157256
  • ·The exploit is unauthenticated (PR:N) and requires no user interaction, making it exploitable against any exposed Aim server instance on the network.
  • ·The path traversal payload specifically targets Python 3.9 site-packages; environments using different Python versions will have a different target path in the args payload.
  • ·The exploit is a three-step chain: (1) establish a resource handle via get-resource, (2) trigger file write via read-instruction/_backup_run, (3) exfiltrate via static-files on port 43800. All three steps must succeed for full exploitation.
  • ·EPSS score of 0.90382 (99.6th percentile) indicates very high probability of active exploitation in the wild.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.