CVE-2024-24590 - OpenCVE

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Clear	Clearml

Configuration 1 [-]

cpe:2.3:a:clear:clearml:*:*:*:*:*:*:*:*

References

Link	Resource
https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/	Exploit Technical Description Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HiddenLayer

Published: 2024-02-06T14:40:26.963Z

Updated: 2024-02-13T19:51:09.693Z

Reserved: 2024-01-25T22:42:48.977Z

Link: CVE-2024-24590

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-02-06T15:15:09.100

Modified: 2024-02-15T15:43:23.723

Link: CVE-2024-24590

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-24590", "assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "state": "PUBLISHED", "assignerShortName": "HiddenLayer", "dateReserved": "2024-01-25T22:42:48.977Z", "datePublished": "2024-02-06T14:40:26.963Z", "dateUpdated": "2024-02-13T19:51:09.693Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "clearml", "product": "ClearML", "repo": "https://github.com/allegroai/clearml", "vendor": "Allegro.AI", "versions": [{"lessThan": "1.14.3", "status": "affected", "version": "0.17.0", "versionType": "custom"}]}], "datePublic": "2024-02-06T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI\u2019s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user\u2019s system when interacted with.</span><br>"}], "value": "Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI\u2019s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user\u2019s system when interacted with.\n"}], "impacts": [{"capecId": "CAPEC-549", "descriptions": [{"lang": "en", "value": "CAPEC-549 Local Execution of Code"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "shortName": "HiddenLayer", "dateUpdated": "2024-02-13T19:51:09.693Z"}, "references": [{"url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clear:clearml:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6977435-CDE5-4CE8-B6CA-A302E5841FF2", "versionEndIncluding": "1.14.2", "versionStartIncluding": "0.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI\u2019s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user\u2019s system when interacted with.\n"}, {"lang": "es", "value": "La deserializaci\u00f3n de datos que no son de confianza puede ocurrir en la versi\u00f3n 0.17.0 o posterior de la plataforma ClearML de Allegro AI, lo que permite que un artefacto cargado maliciosamente ejecute c\u00f3digo arbitrario en el sistema de un usuario final cuando interact\u00faa con \u00e9l."}], "id": "CVE-2024-24590", "lastModified": "2024-02-15T15:43:23.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}, "published": "2024-02-06T15:15:09.100", "references": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary"}]}