Cross-Site Request Forgery (CSRF) Vulnerability in Allegro AI's ClearML Platform Allows Remote Attacker to Impersonate Users
CVE-2024-24593

8.8HIGH

Key Information:

Vendor: Allegro.AI
Status: ClearML
Vendor: CVE Published:; 6 February 2024

What is CVE-2024-24593?

A cross-site request forgery (CSRF) vulnerability exists in all versions up to 1.14.1 of the API server component of Allegro AI’s ClearML platform. This vulnerability enables remote attackers to impersonate legitimate users by sending crafted API requests through malicious HTML. The exploitation of this vulnerability poses risks such as unauthorized access to confidential workspaces, leakage of sensitive information, and potential targeting of ClearML platform instances, even within isolated networks. Organizations utilizing ClearML should prioritize patching this vulnerability to safeguard their data and maintain the integrity of their operations.

Affected Version(s)

ClearML 0 < 1.14.2

References

https://hiddenlayer.com/research/not-so-clear-how-mlops-s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2024
Vulnerability Reserved
Jan 25, 2024

Allegro.AI

What is CVE-2024-24593?

Affected Version(s)

References

CVSS V3.1

Timeline