GHSA-cpcw-9h9m-wqw9

Source
https://github.com/advisories/GHSA-cpcw-9h9m-wqw9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-cpcw-9h9m-wqw9/GHSA-cpcw-9h9m-wqw9.json
Aliases
  • CVE-2024-24590
Published
2024-02-06T15:32:06Z
Modified
2024-02-16T22:01:18.770064Z
Details

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.

References

Affected packages

PyPI / clearml

Package

Name
clearml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.17.0
Last affected
1.14.1

Affected versions

0.*

0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5rc0
0.17.5rc1
0.17.5rc2
0.17.5rc3
0.17.5rc4
0.17.5rc5
0.17.5rc6
0.17.5
0.17.6rc1

1.*

1.0.0
1.0.1
1.0.2rc0
1.0.2
1.0.3rc0
1.0.3rc1
1.0.3
1.0.4rc0
1.0.4rc1
1.0.4
1.0.5
1.0.6rc1
1.0.6rc2
1.1.0
1.1.1
1.1.2rc0
1.1.2
1.1.3rc0
1.1.3
1.1.4rc0
1.1.4
1.1.5rc0
1.1.5rc1
1.1.5rc2
1.1.5rc3
1.1.5rc4
1.1.5rc5
1.1.5rc6
1.1.5rc7
1.1.5
1.1.6rc0
1.1.6
1.2.0rc0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1rc0
1.2.1
1.3.0rc0
1.3.0rc1
1.3.0rc2
1.3.0
1.3.1rc0
1.3.1
1.3.2rc0
1.3.2rc1
1.3.2rc2
1.3.2rc3
1.3.2rc4
1.3.2
1.3.3rc0
1.3.3rc1
1.3.3rc2
1.4.0
1.4.1rc0
1.4.1
1.4.2rc0
1.4.2rc1
1.5.0
1.6.0
1.6.1
1.6.2rc0
1.6.2
1.6.3rc0
1.6.3rc1
1.6.3
1.6.4
1.6.5rc0
1.6.5rc1
1.6.5rc2
1.7.0rc0
1.7.0rc1
1.7.0
1.7.1rc0
1.7.1rc1
1.7.1rc2
1.7.1
1.7.2rc0
1.7.2rc1
1.7.2rc2
1.7.2
1.7.3rc0
1.7.3rc1
1.8.0
1.8.1rc0
1.8.1
1.8.2
1.8.3
1.8.4rc0
1.8.4rc1
1.8.4rc2
1.9.0
1.9.1rc0
1.9.1
1.9.2rc0
1.9.2rc1
1.9.2rc2
1.9.2
1.9.3
1.10.0rc0
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4rc0
1.10.4rc1
1.10.4
1.11.0rc0
1.11.0
1.11.1rc0
1.11.1rc1
1.11.1rc2
1.11.1
1.11.2rc0
1.12.0
1.12.1rc0
1.12.1
1.12.2rc0
1.12.2
1.13.0
1.13.1
1.13.2rc0
1.13.2rc1
1.13.2rc2
1.13.2rc3
1.13.2
1.13.3rc0
1.13.3rc1
1.14.0rc0
1.14.0
1.14.1rc0
1.14.1