Allegro AI’s ClearML platform, a widely used MLOps solution, has been identified with a critical security vulnerability, tracked as CVE-2024-24593. This Cross-Site Request Forgery (CSRF) flaw affects all versions up to 1.14.1 of the platform’s API server component, posing serious risks to users.
The vulnerability allows a remote attacker to impersonate a legitimate user by exploiting crafted HTML to send malicious API requests. Successful exploitation opens the door for the attacker to compromise confidential workspaces and files, potentially leading to data leaks and exposure of sensitive information. Particularly concerning is the ability of the attacker to target instances of the ClearML platform within closed-off networks, exacerbating the potential impact.
The severity of this vulnerability is underscored by its CVSS 3.x score, with NIST rating it as 8.8 (HIGH) and the CNA scoring it at 9.6 (CRITICAL). The discrepancy in scores highlights the critical nature of the issue, emphasizing the urgent need for users to address and patch their ClearML installations promptly.
Reference:
