Plataforma
other
Componente
clearml-enterprise-server
Corrigido em
3.22.6
CVE-2024-39272 describes a cross-site scripting (XSS) vulnerability affecting ClearML Enterprise Server. This flaw allows an attacker to inject malicious HTML code through the dataset upload functionality, potentially compromising user accounts and system integrity. The vulnerability impacts versions 3.22.5-1533, and a patch is available in version 3.22.6.
Successful exploitation of CVE-2024-39272 could allow an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This could lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or defacing the ClearML Enterprise Server interface. The attacker could potentially gain unauthorized access to sensitive data stored within ClearML, such as experiment results, model configurations, and user credentials. Given the potential for data exfiltration and account takeover, this vulnerability poses a significant risk to organizations using ClearML Enterprise Server.
CVE-2024-39272 has been publicly disclosed. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the potential impact make it a likely target for attackers. The vulnerability's presence on the NVD and CISA advisories underscores its importance. No public proof-of-concept code has been released, but the vulnerability's nature suggests that it could be easily exploited.
Organizations that rely on ClearML Enterprise Server for machine learning experiment tracking and management are at risk. This includes data science teams, DevOps engineers, and anyone responsible for managing ClearML infrastructure. Specifically, deployments using older versions (3.22.5-1533) are highly vulnerable.
• generic web: Use curl to test the dataset upload endpoint with a simple XSS payload (e.g., `<script>alert(1)</script>). Check the response for the alert box.
curl -X POST -d '<script>alert(1)</script>' <dataset_upload_url>• generic web: Examine access and error logs for requests containing suspicious HTML tags or JavaScript code related to dataset uploads. • other: Monitor ClearML Enterprise Server logs for unusual activity, specifically related to dataset uploads and user sessions. Look for unexpected JavaScript execution or redirection attempts.
disclosure
Status do Exploit
EPSS
0.64% (percentil 70%)
Vetor CVSS
The primary mitigation for CVE-2024-39272 is to upgrade ClearML Enterprise Server to version 3.22.6 or later, which contains the fix for this vulnerability. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the dataset upload functionality to prevent the injection of malicious HTML code. Additionally, configure a Web Application Firewall (WAF) to detect and block requests containing suspicious HTML payloads. Monitor ClearML logs for unusual activity, particularly related to dataset uploads, and implement strict access controls to limit who can upload datasets.
Atualize o ClearML Enterprise Server para uma versão posterior a 3.22.5-1533 que tenha corrigido a vulnerabilidade XSS. Consulte as notas de versão ou o site do fornecedor para obter mais informações sobre a atualização e as correções incluídas. Aplique as medidas de segurança recomendadas pelo ClearML para mitigar os riscos de XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-39272 is a critical Cross-Site Scripting (XSS) vulnerability in ClearML Enterprise Server versions 3.22.5-1533, allowing attackers to inject malicious HTML code.
If you are running ClearML Enterprise Server version 3.22.5-1533, you are vulnerable to this XSS attack. Upgrade to 3.22.6 or later to mitigate the risk.
The recommended fix is to upgrade to ClearML Enterprise Server version 3.22.6 or a later version. Input validation and WAF rules can provide temporary protection.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the ClearML security advisory for detailed information and updates: [https://clearml.com/security/advisories](https://clearml.com/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.