PyPi: Clearml

CVE-2024-24590

Safety vulnerability ID: 65114

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 06, 2024 Updated at Dec 07, 2024

Scan your Python projects for vulnerabilities →

Advisory

Clearml version 1.14.3 introduces a hash check for pickle files to tackle CVE-2024-24590. This vulnerability allowed the deserialization of untrusted data in ClearML versions 0.17.0 and newer, potentially enabling the execution of arbitrary code through maliciously uploaded artifacts.
https://github.com/allegroai/clearml/commit/e506831599bd8e072e5e54266abfccdfbe4be2ac

Affected package

clearml

Latest version: 1.16.5

ClearML - Auto-Magical Experiment Manager, Version Control, and MLOps for AI

Affected versions

Fixed versions

Vulnerability changelog

New Features and Bug Fixes

- Add hash check for pickle files (resolves CVE-2024-24590)
- Fix `clearml-task` relative paths calculation when `--cwd`, `--folder` and `--script` are provided (1161, thanks dimidagd!)
- Fix regression causing an error when `secure` is provided in AWS S3 bucket settings

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24590

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.8

CVSS v3 Details

HIGH 8.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH