Unrestricted Code Execution via Outdated safer_getattr()
A vulnerability in AimQL's use of an outdated safer_getattr() function in version 3.22.0 allows attackers to leak server-side secrets or gain unrestricted code execution. This issue was patched in a later version.
Available publicly on Oct 20 2024
Threat Overview
The vulnerability arises from the use of an outdated version of the safer_getattr() function in RestrictedPython, which does not protect against the str.format_map() method. This method allows attackers to read arbitrary attributes of Python objects, potentially leaking sensitive information such as environment variables. Furthermore, if an attacker can write files to a known location on the Aim server, they can escalate this vulnerability to unrestricted code execution by loading a malicious library into the Python interpreter.
Attack Scenario
An attacker could exploit this vulnerability by first using the str.format_map() method to leak sensitive environment variables from the server. If the attacker has the ability to upload files to the server, they could then upload a malicious library and use the same method to load it into the Python interpreter, achieving unrestricted code execution.
Who is affected
Users running AimQL version 3.22.0 who have sensitive environment variables and allow file uploads to the server are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.