Platform
python
Component
clearml-server
Fixed in
1.14.2
CVE-2024-24593 describes a cross-site request forgery (CSRF) vulnerability present in all versions of the ClearML platform’s API server component up to 1.14.1. This vulnerability allows a remote attacker to craft malicious HTML to impersonate a user and execute API requests. Successful exploitation can lead to unauthorized access and compromise of confidential workspaces and files within the ClearML environment, potentially impacting instances within closed networks. The vulnerability is resolved in version 1.14.2.
The impact of this CSRF vulnerability is significant, allowing an attacker to effectively hijack user sessions within the ClearML platform. By crafting malicious HTML and tricking a legitimate user into visiting it, the attacker can execute arbitrary API requests as that user. This could involve creating, deleting, or modifying workspaces, accessing sensitive data stored within those workspaces, and potentially gaining control over the entire ClearML instance. The ability to target instances within closed networks amplifies the risk, as attackers could bypass external security controls and directly compromise internal systems. The potential for data exfiltration and unauthorized modifications makes this a high-priority vulnerability to address.
CVE-2024-24593 was publicly disclosed on February 6, 2024. While no active exploitation campaigns have been publicly reported, the ease of exploitation associated with CSRF vulnerabilities means it is likely to be targeted. The vulnerability's criticality (CVSS 9.6) underscores the need for prompt remediation. No KEV listing is currently available.
Exploit Status
EPSS
0.42% (62% percentile)
CVSS Vector
The primary mitigation for CVE-2024-24593 is to immediately upgrade to ClearML version 1.14.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as implementing strict input validation and output encoding on all API endpoints to prevent malicious data from being processed. Additionally, enforce strong user authentication and authorization policies to limit the potential impact of a successful CSRF attack. Web application firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger an API request through a crafted HTML page and verifying that it fails with an authentication error.
Update ClearML to version 1.14.2 or higher. This version contains a fix for the CSRF vulnerability. See the release notes and upgrade instructions provided by Allegro AI.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24593 is a critical cross-site request forgery (CSRF) vulnerability affecting ClearML versions 0.0 - 1.14.2, allowing attackers to impersonate users and compromise workspaces.
If you are running ClearML versions 0.0 through 1.14.1, you are affected by this vulnerability. Upgrade to version 1.14.2 or later to mitigate the risk.
The recommended fix is to upgrade to ClearML version 1.14.2 or later. Temporary workarounds include input validation and WAF implementation.
While no active exploitation campaigns have been publicly reported, the ease of exploitation associated with CSRF vulnerabilities suggests it is likely to be targeted.
Refer to the ClearML security advisory for detailed information and updates: [https://clear.ml/security/advisories/CVE-2024-24593](https://clear.ml/security/advisories/CVE-2024-24593)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.