Arbitrary File Overwrite through tarfile-extraction in aimhubio/aim

Vulnerability

Description CVE-2024-6829 is a path traversal vulnerability in aimhubio/aim version 3.19.3. The root cause is the unsafe use of tarfile.extractall() without validating destination paths [2]. An attacker who can control the repo.path and run_hash parameters can bypass directory existence checks, allowing a maliciously crafted tarfile to extract its contents to arbitrary locations on the host server [1][2].

Exploitation

Exploitation requires the attacker to have the ability to supply a specially crafted tarfile and control the repo.path and run_hash values. The lack of proper path sanitization when calling tarfile.extractall() enables the attacker to direct file extraction outside of the intended repository directory [2]. No authentication is mentioned as a prerequisite, suggesting that the vulnerability can be leveraged by any user who can submit data to the Aim tracking server [1][2].

Impact

Successful exploitation allows an attacker to write arbitrary data to arbitrary file paths on the remote tracking server. This could lead to overwriting critical system files, such as configuration files or user authentication keys. For example, an attacker could write a new SSH key to the target server, gaining persistent remote access [2]. The impact is high, as it can lead to full server compromise depending on the permissions of the Aim process [1][2].

Mitigation

As of the publication date, the vulnerability exists in aimhubio/aim version 3.19.3. Users should upgrade to a patched version if available or apply the workaround described in the commit history, which likely involves validating tarfile member paths before extraction. The official GitHub repository may contain the fix [1]. The vulnerability has been tracked by Huntr and assigned a bounty [3], indicating active remediation efforts.