Plattform
other
Komponente
clearml-enterprise-server
Behoben in
3.22.6
CVE-2024-39272 describes a cross-site scripting (XSS) vulnerability affecting ClearML Enterprise Server. This flaw allows an attacker to inject malicious HTML code through the dataset upload functionality, potentially compromising user accounts and system integrity. The vulnerability impacts versions 3.22.5-1533, and a patch is available in version 3.22.6.
Successful exploitation of CVE-2024-39272 could allow an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This could lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the ClearML Enterprise Server interface. The attacker could potentially gain unauthorized access to sensitive data stored within the ClearML system, or even escalate privileges to compromise the underlying server. The blast radius extends to any user interacting with the dataset upload feature.
CVE-2024-39272 was published on 2025-02-06. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. The vulnerability is not currently listed on CISA KEV.
Organizations that rely on ClearML Enterprise Server for machine learning experiment tracking and management are at risk. This includes data science teams, DevOps engineers, and anyone responsible for managing ClearML infrastructure. Specifically, deployments using older versions (3.22.5-1533) are highly vulnerable.
• generic web: Use curl to test the dataset upload endpoint with a simple XSS payload (e.g., `<script>alert(1)</script>). Check the response for the alert box.
curl -X POST -d '<script>alert(1)</script>' <dataset_upload_url>• generic web: Examine access and error logs for requests containing suspicious HTML tags or JavaScript code related to dataset uploads. • other: Monitor ClearML Enterprise Server logs for unusual activity, specifically related to dataset uploads and user sessions. Look for unexpected JavaScript execution or redirection attempts.
disclosure
Exploit-Status
EPSS
0.64% (70% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-39272 is to upgrade ClearML Enterprise Server to version 3.22.6 or later. If immediate upgrade is not possible, consider implementing strict input validation on the dataset upload functionality to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review ClearML Enterprise Server logs for suspicious activity related to dataset uploads.
Aktualisieren Sie ClearML Enterprise Server auf eine Version nach 3.22.5-1533, die die XSS Schwachstelle behoben hat. Konsultieren Sie die Versionshinweise oder die Website des Anbieters für weitere Informationen zur Aktualisierung und den enthaltenen Korrekturen. Wenden Sie die von ClearML empfohlenen Sicherheitsmaßnahmen an, um die XSS Risiken zu mindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-39272 is a critical Cross-Site Scripting (XSS) vulnerability in ClearML Enterprise Server versions 3.22.5-1533, allowing attackers to inject malicious HTML code.
If you are running ClearML Enterprise Server version 3.22.5-1533, you are vulnerable to this XSS attack. Upgrade to 3.22.6 or later to mitigate the risk.
The recommended fix is to upgrade to ClearML Enterprise Server version 3.22.6 or a later version. Input validation and WAF rules can provide temporary protection.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the ClearML security advisory for detailed information and updates: [https://clearml.com/security/advisories](https://clearml.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.