CVE-2024-8238

CVE-2024-8238 is a vulnerability in version 3.22.0 of aimhubio/aim, an open-source tool likely used for machine learning experiment tracking. The issue resides in the AimQL query language, which relies on an outdated version of the safer_getattr() function from RestrictedPython. This implementation fails to protect against the str.format_map() method, enabling attackers to read arbitrary attributes of Python objects and leak server-side secrets, such as those in os.environ, or potentially achieve unrestricted code execution.

Remote, unauthenticated attackers can exploit this vulnerability over the network with no user interaction required, though it demands high attack complexity. Initial exploitation allows extraction of sensitive environment variables and other secrets. If the attacker can write files to a known location on the Aim server, they can leverage str.format_map() to load a malicious .dll or .so file into the Python interpreter, resulting in full code execution. The CVSS v3.1 base score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-1336 (Incorrect Handling of Shared Resource Lifetime).

Details on advisories, patches, or mitigations are available in the Huntr bounty report at https://huntr.com/bounties/4e140ef9-f6d1-4e68-a44c-3b9e856924d3, published on 2025-03-20.