Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcGN3LTloOW0td3F3Oc4AA5Hb
Allegro AI ClearML vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.
Permalink: https://github.com/advisories/GHSA-cpcw-9h9m-wqw9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcGN3LTloOW0td3F3Oc4AA5Hb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 9 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-cpcw-9h9m-wqw9, CVE-2024-24590
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-24590
- https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain
- https://github.com/advisories/GHSA-cpcw-9h9m-wqw9
Affected Packages
pypi:clearml
Dependent packages: 18Dependent repositories: 173
Downloads: 323,590 last month
Affected Version Ranges: >= 0.17.0, <= 1.14.1
No known fixed version
All affected versions: 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1