Beware of Malicious Datasets on Allegro AI’s ClearML Platform

CVECVE-2024-24591
CVSScvssV3_1: 8
SourceCVE-2024-24591

Allegro AI’s ClearML platform is a popular machine learning tool used by data scientists and developers. Unfortunately, a path traversal vulnerability has been discovered that could allow a bad actor to write files to a user’s system when interacting with a maliciously uploaded dataset.

Path traversal attacks work by navigating to files and folders outside of the intended scope through the manipulation of file paths. In this case, a dataset uploaded to ClearML could potentially write files to any location on the user’s machine or even remotely if the paths are not sanitized properly.

If exploited, this could enable the installation of malware, extraction of sensitive information or other unwanted changes to users’ systems. Datasets are often used unattended by ClearML for training models, so there may be limited user interaction to stop such an attack.

As with any software, keeping ClearML up to date with the latest patches is important to protect against known issues like this one. Users should also be cautious about opening datasets from unknown or untrusted sources for the time being. Allegro AI is working on resolving the vulnerability, but extra precautions are advised until then.

References