プラットフォーム
python
コンポーネント
clearml-web
CVE-2024-24594 describes a critical Cross-Site Scripting (XSS) vulnerability present in all versions of the ClearML platform's web server component. This vulnerability allows a remote attacker to inject and execute malicious JavaScript code when a user views the Debug Samples tab within the web UI. Affected versions include all releases prior to a fix, and immediate mitigation is advised to prevent potential data breaches and unauthorized access.
The impact of this XSS vulnerability is significant. An attacker could leverage it to steal sensitive user data, including credentials and personally identifiable information (PII), by injecting malicious scripts into the Debug Samples tab. Successful exploitation could also lead to session hijacking, allowing the attacker to impersonate legitimate users and gain unauthorized access to the ClearML platform. The scope of potential impact extends to any user accessing the Debug Samples tab, potentially affecting a wide range of ClearML deployments.
CVE-2024-24594 was publicly disclosed on February 6, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Organizations heavily reliant on ClearML for machine learning experiment tracking and management are particularly at risk. Teams frequently utilizing the Debug Samples tab for troubleshooting and analysis are also highly vulnerable. Shared hosting environments where ClearML is deployed alongside other applications could expose a broader range of users to potential compromise.
• python / server: Inspect ClearML logs for unusual JavaScript execution patterns or requests targeting the Debug Samples tab. Use Python's requests library to test for XSS by injecting payloads into the Debug Samples tab and observing the response.
import requests
url = 'YOUR_CLEARML_URL/debug_samples'
payload = '<script>alert("XSS")</script>'
response = requests.get(url, params={'debug_sample': payload})
print(response.text)• generic web: Monitor web server access logs for requests containing suspicious JavaScript code in the URL parameters or POST data, specifically targeting the /debug_samples endpoint.
disclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-24594 is to upgrade to a patched version of ClearML as soon as it becomes available. Until the upgrade can be performed, implement temporary mitigations such as configuring a Web Application Firewall (WAF) to filter out potentially malicious JavaScript payloads targeting the Debug Samples tab. Additionally, review and restrict access to the Debug Samples tab to only authorized personnel to minimize the attack surface. Thoroughly test any configuration changes in a non-production environment before applying them to production systems.
ClearMLを最新バージョンにアップデートしてください。これにより、XSS脆弱性に対する修正が含まれるはずです。詳細については、リリースノートを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-24594 is a critical XSS vulnerability in ClearML's web server component, allowing attackers to execute JavaScript code via the Debug Samples tab.
Yes, if you are using any version of ClearML prior to the patched version, you are affected by this vulnerability. All versions are vulnerable.
Upgrade to the latest patched version of ClearML as soon as possible. Until then, implement WAF rules and restrict access to the Debug Samples tab.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official ClearML security advisory for detailed information and remediation steps: [https://clear.ml/security/advisories/CVE-2024-24594](https://clear.ml/security/advisories/CVE-2024-24594)
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。