Platform
other
Component
clearml-enterprise-server
Fixed in
3.22.6
CVE-2024-39272 describes a cross-site scripting (XSS) vulnerability affecting ClearML Enterprise Server. This flaw allows an attacker to inject malicious HTML code through the dataset upload functionality, potentially compromising user accounts and system integrity. The vulnerability impacts versions 3.22.5-1533, and a patch is available in version 3.22.6.
Successful exploitation of CVE-2024-39272 could allow an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This could lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the ClearML Enterprise Server interface. The attacker could potentially gain unauthorized access to sensitive data stored within ClearML, such as experiment results, model configurations, and user credentials. Given the potential for data exfiltration and account takeover, this vulnerability poses a significant risk to organizations using ClearML Enterprise Server.
CVE-2024-39272 has been publicly disclosed. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the potential impact make it a likely target for attackers. The vulnerability's presence on the NVD and CISA advisories underscores its importance. No public proof-of-concept code has been released, but the vulnerability's nature suggests that it could be easily exploited.
Exploit Status
EPSS
0.64% (70% percentile)
CVSS Vector
The primary mitigation for CVE-2024-39272 is to upgrade ClearML Enterprise Server to version 3.22.6 or later, which contains the fix for this vulnerability. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the dataset upload functionality to prevent the injection of malicious HTML code. Additionally, configure a Web Application Firewall (WAF) to detect and block requests containing suspicious HTML payloads. Monitor ClearML logs for unusual activity, particularly related to dataset uploads, and implement strict access controls to limit who can upload datasets.
Update ClearML Enterprise Server to a version later than 3.22.5-1533 that has addressed the XSS vulnerability. Refer to the release notes or vendor website for more information about the update and included fixes. Apply security measures recommended by ClearML to mitigate XSS risks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39272 is a critical Cross-Site Scripting (XSS) vulnerability in ClearML Enterprise Server versions 3.22.5-1533, allowing attackers to inject malicious HTML code.
If you are running ClearML Enterprise Server version 3.22.5-1533, you are vulnerable to this XSS attack. Upgrade to 3.22.6 or later to mitigate the risk.
The recommended fix is to upgrade to ClearML Enterprise Server version 3.22.6 or a later version. Input validation and WAF rules can provide temporary protection.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the ClearML security advisory for detailed information and updates: [https://clearml.com/security/advisories](https://clearml.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.