CVE-2024-24590

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:clear:clearml:*:*:*:*:*:*:*:*

History

15 Feb 2024, 15:43

Type Values Removed Values Added
CPE cpe:2.3:a:clear:clearml:*:*:*:*:*:*:*:*
First Time Clear clearml
Clear
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
References () https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ - () https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ - Exploit, Technical Description, Third Party Advisory
CWE CWE-502

13 Feb 2024, 20:15

Type Values Removed Values Added
Summary Deserialization of untrusted data can occur in version 0.17.0 or newer of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with. Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

06 Feb 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-06 15:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-24590

Mitre link : CVE-2024-24590

CVE.ORG link : CVE-2024-24590


JSON object : View

Products Affected

clear

  • clearml
CWE
CWE-502

Deserialization of Untrusted Data