Beware of Malicious Artifacts on ClearML Platform – Allegro AI

CVECVE-2024-24590
CVSScvssV3_1: 8
SourceCVE-2024-24590

ClearML, an open-source machine learning platform developed by Allegro AI, is affected by a deserialization vulnerability that could allow attackers to execute arbitrary code on users’ systems.

The vulnerability exists in version 0.17.0 and above of ClearML and is caused due to the deserialization of untrusted data. Malicious actors can craft a specially crafted artifact and upload it to the platform. When an unsuspecting user downloads and interacts with this artifact, it could potentially run malicious code on their computer.

Attackers can exploit this to infect users’ devices with malware, steal sensitive information like passwords/credentials or take complete control of the affected systems. All they need to do is get a user to download a boobytrapped artifact.

To stay protected, ClearML users should avoid downloading artifacts from unknown or untrusted sources. It is also recommended to keep ClearML and all other applications on the system up-to-date with the latest patches. This will help fix vulnerabilities over time. Users must also be cautious about granting storage permissions or installing unfamiliar apps/extensions.

Allegro AI has released an update to address this issue. All ClearML users are urged to upgrade to the latest version as soon as possible to patch their installations against this threat. Regular security updates are important to have the latest defenses.

References