CVE-2024-8769
Published: 20 March 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2024-8769 is a path traversal vulnerability in the `LockManager.release_locks` function within aimhubio/aim at commit bb76afe, enabling arbitrary file deletion. The user-controlled `run_hash` parameter is concatenated without normalization into a path used for file deletion operations. This flaw is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API.
Attackers can exploit this vulnerability remotely over the network with no authentication or user interaction required, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and association with CWE-22. By crafting a malicious `run_hash` value in a request to the tracking server's instruction API, an unauthenticated attacker can delete any arbitrary file on the machine hosting the server.
Mitigation details and additional technical analysis are available in the Huntr advisory at https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated path traversal in public-facing tracking server API directly enables exploitation via T1190 (Exploit Public-Facing Application) and facilitates arbitrary file deletion mapped to T1485 (Data Destruction).