Lucene search

GitHub Advisory DatabaseGHSA-CPCW-9H9M-WQW9

HistoryFeb 06, 2024 - 3:32 p.m.

Allegro AI ClearML vulnerable to deserialization of untrusted data

2024-02-0615:32:06

CWE-502

GitHub Advisory Database

github.com

allegro ai

clearml

vulnerability

client sdk

deserialization

untrusted data

malicious

artifact

arbitrary code

software

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.5%

JSON

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Affected configurations

Vulners

Node

clearclearmlRange0.17.0≥

clearclearmlRange≤1.14.1

CPENameOperatorVersion
clearmlge0.17.0
clearmlle1.14.1

CPE	Name	Operator	Version
	clearml	ge	0.17.0
	clearml	le	1.14.1

References

github.com/advisories/GHSA-cpcw-9h9m-wqw9

hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain

nvd.nist.gov/vuln/detail/CVE-2024-24590

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.5%

JSON

Related for GHSA-CPCW-9H9M-WQW9