Beware of Malicious Artifacts on ClearML Platform – Allegro AI

CVECVE-2024-24590
CVSScvssV3_1: 8
SourceCVE-2024-24590

ClearML, an open-source machine learning platform developed by Allegro AI, is affected by a deserialization vulnerability that could allow attackers to execute arbitrary code on users’ systems.

The vulnerability exists in version 0.17.0 and above of ClearML and is caused due to the deserialization of untrusted data. Malicious actors can craft a specially crafted artifact and upload it to the platform. When an unsuspecting user downloads and interacts with this artifact, it could potentially run malicious code on their computer.

Attackers can exploit this to infect users’ devices with malware, steal sensitive information like passwords/credentials or take complete control of the affected systems. All they need to do is get a user to download a boobytrapped artifact.

To stay protected, ClearML users should be very careful about downloading artifacts from unknown or untrusted sources. It is also recommended to keep ClearML and all related software up-to-date with the latest patches. Users must avoid running any untrusted scripts or programs received from the platform.

Allegro AI has released an update to address this issue, so users are urged to upgrade to the latest version at the earliest for their online security and privacy. Being cautious about what we download and install can go a long way in keeping cyber threats at bay.

References