Platform
python
Component
clearml-web
CVE-2024-24594 describes a critical Cross-Site Scripting (XSS) vulnerability present in all versions of the ClearML platform's web server component. This vulnerability allows a remote attacker to inject and execute malicious JavaScript code when a user views the Debug Samples tab within the web UI. Affected versions include all releases prior to a fix, and immediate mitigation is advised to prevent potential data breaches and unauthorized access.
The impact of this XSS vulnerability is significant. An attacker could leverage it to steal sensitive user data, including credentials and personally identifiable information (PII), by injecting malicious scripts into the Debug Samples tab. Successful exploitation could also lead to session hijacking, allowing the attacker to impersonate legitimate users and gain unauthorized access to the ClearML platform. The scope of potential impact extends to any user accessing the Debug Samples tab, potentially affecting a wide range of ClearML deployments.
CVE-2024-24594 was publicly disclosed on February 6, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-24594 is to upgrade to a patched version of ClearML as soon as it becomes available. Until the upgrade can be performed, implement temporary mitigations such as configuring a Web Application Firewall (WAF) to filter out potentially malicious JavaScript payloads targeting the Debug Samples tab. Additionally, review and restrict access to the Debug Samples tab to only authorized personnel to minimize the attack surface. Thoroughly test any configuration changes in a non-production environment before applying them to production systems.
Update ClearML to the latest available version. This should include the fix for the XSS vulnerability. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24594 is a critical XSS vulnerability in ClearML's web server component, allowing attackers to execute JavaScript code via the Debug Samples tab.
Yes, if you are using any version of ClearML prior to the patched version, you are affected by this vulnerability. All versions are vulnerable.
Upgrade to the latest patched version of ClearML as soon as possible. Until then, implement WAF rules and restrict access to the Debug Samples tab.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official ClearML security advisory for detailed information and remediation steps: [https://clear.ml/security/advisories/CVE-2024-24594](https://clear.ml/security/advisories/CVE-2024-24594)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.