Plattform
python
Komponente
clearml-server
Behoben in
1.14.2
CVE-2024-24593 describes a cross-site request forgery (CSRF) vulnerability present in all versions of the ClearML platform’s API server component up to 1.14.1. This vulnerability allows a remote attacker to craft malicious HTML to impersonate a user and execute API requests. Successful exploitation can lead to unauthorized access and compromise of confidential workspaces and files within the ClearML environment, potentially impacting instances within closed networks. The vulnerability is resolved in version 1.14.2.
The impact of this CSRF vulnerability is significant, allowing an attacker to effectively hijack user sessions within the ClearML platform. By crafting malicious HTML and tricking a legitimate user into visiting it, the attacker can execute arbitrary API requests as that user. This could involve creating, deleting, or modifying workspaces, accessing sensitive data stored within those workspaces, and potentially gaining control over the entire ClearML instance. The ability to target instances within closed networks amplifies the risk, as attackers could bypass external security controls and directly compromise internal systems. The potential for data exfiltration and unauthorized modifications makes this a high-priority vulnerability to address.
CVE-2024-24593 was publicly disclosed on February 6, 2024. While no active exploitation campaigns have been publicly reported, the ease of exploitation associated with CSRF vulnerabilities means it is likely to be targeted. The vulnerability's criticality (CVSS 9.6) underscores the need for prompt remediation. No KEV listing is currently available.
Organizations utilizing ClearML for machine learning experiment tracking and management are at risk. This includes teams managing sensitive data within ClearML workspaces, particularly those operating within closed or isolated network environments. Users who have not implemented robust authentication and authorization controls are also at increased risk.
• python / server:
# Check for ClearML version
import requests
import json
url = 'http://your-clearml-server/api/v1/info'
try:
response = requests.get(url)
response.raise_for_status()
data = response.json()
version = data.get('version', 'Unknown')
print(f'ClearML Version: {version}')
if version and float(version) < 1.14.2:
print('VULNERABLE: ClearML version is less than 1.14.2')
else:
print('ClearML version is patched.')
except requests.exceptions.RequestException as e:
print(f'Error connecting to ClearML server: {e}')disclosure
Exploit-Status
EPSS
0.42% (62% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-24593 is to immediately upgrade to ClearML version 1.14.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as implementing strict input validation and output encoding on all API endpoints to prevent malicious data from being processed. Additionally, enforce strong user authentication and authorization policies to limit the potential impact of a successful CSRF attack. Web application firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger an API request through a crafted HTML page and verifying that it fails with an authentication error.
Aktualisieren Sie ClearML auf Version 1.14.2 oder höher. Diese Version enthält eine Korrektur für die CSRF-Schwachstelle. Sehen Sie sich die Versionshinweise und die Upgrade-Anweisungen von Allegro AI an.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-24593 is a critical cross-site request forgery (CSRF) vulnerability affecting ClearML versions 0.0 - 1.14.2, allowing attackers to impersonate users and compromise workspaces.
If you are running ClearML versions 0.0 through 1.14.1, you are affected by this vulnerability. Upgrade to version 1.14.2 or later to mitigate the risk.
The recommended fix is to upgrade to ClearML version 1.14.2 or later. Temporary workarounds include input validation and WAF implementation.
While no active exploitation campaigns have been publicly reported, the ease of exploitation associated with CSRF vulnerabilities suggests it is likely to be targeted.
Refer to the ClearML security advisory for detailed information and updates: [https://clear.ml/security/advisories/CVE-2024-24593](https://clear.ml/security/advisories/CVE-2024-24593)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.