CVE-2024-24591

A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:clear:clearml:*:*:*:*:*:*:*:*

History

15 Feb 2024, 18:38

Type Values Removed Values Added
CPE cpe:2.3:a:clear:clearml:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:clear:clearml:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:clear:clearml:*:*:*:*:*:*:*:*

15 Feb 2024, 16:14

Type Values Removed Values Added
CWE CWE-22
First Time Clear clearml
Clear
CPE cpe:2.3:a:clear:clearml:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:clear:clearml:1.4.1:*:*:*:*:*:*:*
References () https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ - () https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ - Exploit, Technical Description, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

13 Feb 2024, 20:15

Type Values Removed Values Added
Summary A path traversal vulnerability in version 1.4.0 or newer of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with. A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with.

06 Feb 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-06 15:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-24591

Mitre link : CVE-2024-24591

CVE.ORG link : CVE-2024-24591


JSON object : View

Products Affected

clear

  • clearml
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')