Critical File Access Vulnerability Patched in Allegro AI’s ClearML Platform

CVECVE-2024-24592
CVSScvssV3_1: 9.8
SourceCVE-2024-24592

Allegro AI’s ClearML is a machine learning platform for managing experiments and model development. A critical vulnerability was discovered that could allow unauthenticated access to files on ClearML fileservers.

The vulnerability, tracked as CVE-2024-24592, is due to a lack of authentication checks. This would allow any remote attacker to access, modify, create or delete files on ClearML fileservers without any credentials. They could access sensitive data like model files, hyperparameters or source code.

An attacker could exploit this by directly interacting with the ClearML fileserver APIs or user interfaces without needing valid login details. They would have full control over files, posing a major data breach risk.

Allegro AI has released an update to address this issue by adding authentication validation for all fileserver operations. Users are recommended to update their ClearML installations as soon as possible to apply the fix. Organizations should also review any files accessed during the vulnerable period to ensure no data was compromised.

By keeping ClearML updated with the latest security patches, users can help protect their machine learning data and models from unauthorized access through such vulnerabilities. Regular review of authentication on such platforms is also advised.

References