CRITICAL🇵🇱 Wersja polska

CVE-2024-24592

CVSS 9.8v3.1pub. 2024-02-06upd. 2024-11-21

Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files.

🤖 AI Analysis
How it works

The ClearML platform's fileserver component does not implement authentication mechanisms (CWE-287) and does not verify whether the request comes from an authorized user (CWE-425 – forced browsing). A remote attacker, without any credentials, can send requests directly to the file server. This allows reading, creating, modifying, and deleting any files stored by the platform.

Impact

An attacker can gain unauthorized access to data stored in the MLOps platform, as well as modify or delete files, which may lead to violations of confidentiality, integrity, and availability of ClearML system resources.

Mitigation & patch

Apply patches available from the manufacturer according to the references. As a temporary measure, it is recommended to restrict network access to the fileserver component through a firewall or network segmentation, so that it is accessible only to trusted hosts.

Who is affected

All versions of the fileserver component in Allegro AI ClearML platform

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Clear Clearml

    APP
    Clear
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-24593CRITICAL9.6PL ✓ten sam produkt

CSRF w ClearML API Server — podszywanie się pod użytkownika

CVE-2024-24594CRITICAL9.9PL ✓ten sam produkt

XSS w ClearML — wykonanie JavaScript przez zakładkę Debug Samples

CVE-2024-24590HIGH8.0ten sam produkt

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s Cle...

CVE-2024-24591HIGH8.0ten sam produkt

A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform ...

CVE-2024-24595MEDIUM6.0ten sam produkt

Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulti...